Facebook Authenticator

The Facebook authenticator provides the ability for users to login using Facebook. The integration to Facebook is done using OAuth 2. To use it, you need to configure a OAuth 2 client in Facebook, and then configure a Facebook authenticator instance in the Authentication Service. The steps to do this are described below.

Configuring Facebook

To use Facebook accounts in the Authentication Service, you need to register a Facebook app. To do this, sign into Facebook, register as a developer, and create a new new app at https://developers.facebook.com/.

Create a New Project

After logging into Facebook for Developer, click on My Apps in the top navigation bar. Then click Create App.

../../_images/1-start.png

Fig. 68 Facebook - Start screen

In the Create an App screen, select an App Type, for example None. Then click Next

../../_images/2-app-type.png

Fig. 69 Facebook - Select App Type

Then, enter a Display name (e.g., CurityLogin) and an App contact email, then click the Create app button.

../../_images/3-set-app-details.png

Fig. 70 Facebook - Create new Facebook app

In the panel to the left, select Setting -> Basic. Facebook has generated credentials for the authenticator. The App ID in Facebook will correspond to the client_id in the Authentication Service, and Facebook’s App secret will be used as the client_secret. To access this secret key, click the Show button.

../../_images/4-appid-secret.png

Fig. 71 Facebook - App ID and App Secret

The Redirect URI

The redirect URI is the URI where Facebook will redirect the user when the authentication is done. The URI that the Authentication Service uses is generated automatically based on configuration, and is the path to the authenticator with an added /callback. This last part of the path is only used in the communication between the Authentication Service and Facebook, and can not be changed whereas the preceding components of the path can be.

The form is like this:

<base-url>/<authentication-endpoint>/<authenticator-id>/callback

For example, for a server running on server1.local and a protocol of https and listening on port 8443 and having an authentication endpoint configured to be /authn/authentication and with a Facebook authenticator instance called facebook1, the redirect URI would be:

https://server1.local:8443/authn/authentication/facebook1/callback

Set the Redirect URI

This redirect URI needs to be set in Facebook. To do so, find that app that you previously created (e.g., CurityLogin), and click Facebook Login -> Settings in the panel on the left .

In the Valid OAuth Redirect URIs section, add the redirect URI(s).

Important

Press enter in order for the redirect URI to be added to the field.

../../_images/5-redirect-uri.png

Fig. 72 Facebook - Redirect URI

Finally, click Save Changes.

The App is now registered and can be used in the Authentication Service.

The Data Deletion Request Callback URL

Apps that access user data from Facebook must provide a way for users to request that their data be deleted. Your app can satisfy this requirement by configuring a Data Deletion Request Callback URI pointing at the Facebook authenticator in the Curity Identity Server.

The callback URL should use the following pattern:

<base-url>/<authentication-endpoint>/<authenticator-id>/data-deletion-callback

For example, for a server running on server1.local and a protocol of https and listening on port 8443 and having an authentication endpoint configured to be /authn/authentication and with a Facebook authenticator instance called facebook1, the Data Deletion Request Callback URL would be:

https://server1.local:8443/authn/authentication/facebook1/data-deletion-callback

When a user asks for their data to be deleted, Facebook calls the Curity Identity Server callback and the existing linked account with the configured account domain is deleted.

See Facebook documentation about how to use Data Deletion Request Callback.

Set the Data Deletion Request Callback URL

The Data Deletion Request Callback URL needs to be configured for your app in Facebook. To do so, find the app that you previously created (e.g., CurityLogin), and click App settings -> Basic in the panel on the left .

In the User data deletion section, select Data deletion callback URL and set its value in the below field.

../../_images/6-data-deletion-request-callback-url.png

Finally, click Save Changes.

Important

When the Data Deletion Request Callback URL is configured in the Facebook App, then it is mandatory to configure an Account Manager in the Facebook Authenticator. See account-manager property in the authenticator configuration hereafter.

Configuration in the Authentication Service

The general authenticator configuration is described under Authenticator Base Configuration. This section describes the additional parameters that are available for the Facebook authenticator.

Important

Authenticator base is /profiles/profile{id type}/settings/authentication-service/authenticators/

List Entry: <authenticator_base>/authenticator/ (key id)

client_id: The OAuth2 client ID that is registered at Facebook

type string

mandatory

client_secret: The OAuth2 client secret that is registered at Facebook

type string

mandatory

scope: The scope to ask Facebook for, space separated

type string

default public_profile email

authorization-endpoint: URL to the Facebook authorization endpoint

type string

default https://www.facebook.com/dialog/oauth

token-endpoint: URL to the Facebook token endpoint

type string

default https://graph.facebook.com/v2.3/oauth/access_token

userinfo-endpoint: URL to the Facebook userinfo endpoint

type string

default https://graph.facebook.com/v2.2/me

account-manager: The account manager to delete user personal data from, when the Data Deletion Callback URL is configured in the Facebook Application
type string

Example:

<authenticator xmlns="https://curity.se/ns/conf/profile/authentication">
    <id>facebook1</id>
    <facebook xmlns="https://curity.se/ns/conf/authenticators/facebook">
        <client-secret>123456778912345677890012345677890</client-secret>
        <client-id>1234567890</client-id>
    </facebook>
</authenticator>