User authorization on a rest service via an access token

Question

I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.

Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service

So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.

Thanks in advance Asanka

Answer 1

If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information. You've got to hit this link - https://graph.facebook.com/me with the access token.

Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object. (if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.

Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.

PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!