I have a webapp, where the backend Rest Server and front end is Angular 2 spa.
I have split the backend into Resource server and Authserver.
My current webapp allows the end users to
- Either register manually and log in to use website
- Or use Facebook
to log in.
For use case 2,i.e. Facebook log in,I am doing the following
- get fb token, via FB js SDK.(requested by angular frontend)
- send this token to Resource server
- Verify it in resource server by calling the FB api and verifying token validity and user_id
- Now generate my webapp's token from my webapps' Auth server
- And use this token for further API validations
In step 4, I am not sure how to proceed further.
From docs, it seems that most suitable grant is password in this case.
If I use "password" grant_type, then i need to supply username password from Resource server, Which i can not because my passwords stored in DB are Bcrypt encoded(encrypted).
How should i solve this issue. This is a rather very common use case, I am wondering what others do to validate their APIs after logging through facebook? Do they use FB tokens for all successive API validations or their local tokens.
Can someone point out what is the correct grant_type i should use so that i don't lose track of logged in user?