If you look at the OAuth dialog reference ( ), it seems like you only ever use the token to fetch information about the user, and if you specify the response_type parameter as token or code,token, then you get the token on the first time.
You as a user want to try a new Facebook app called Highjack.So you click on the application and the Highjack app asks you to log into your Facebook account. When you are done, Facebook generates an authentication code for you.
If the Highjack app wanted implicit grant (i.e direct access token), then the access token would be visible to you also since it is being exchanged with the browser. This means you can now call all Facebook APIs on behalf of Highjack using the access token. (You can only use the access token to get your personal information but Facebook has no way of knowing who is calling their APIs.)
An authorization code is a short-lived token representing the user's access grant, created by the authorization server and passed to the client application via the browser. The client application sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token.
Access TokenThe access token is used by the client to make authenticated requests on behalf of the end user. It has a longer lifetime than the authorization code, typically on the order of minutes or hours. When the access token expires, attempts to use it will fail, and a new access token must be obtained via a refresh token.
The authorization code provides a few important security benefitssuch as the ability to authenticate the client, and the transmissionof the access token directly to the client without passing it throughthe resource owner's user-agent, potentially exposing it to others,including the resource owner.
According to Nate Barbettini we want the extra step of exchanging the authentication code for the access token, because the authentication code can be used in the front channel (less secure), and the access token can be used in the back channel (more secure).
Thus, the security benefit is that the access token isn't exposed to the browser, and thus cannot be intercepted/grabbed from a browser. We trust the web server more, which communicates via back channels. The access token, which is secret, can then remain on the web server, and not be exposed to the browser (i.e. front channels).
In step2: the client (client_id) tells the OAuth server that "I've got the user the authorization (authorization_code), please give me an access token for later access. And this is my authentication (client_id & client_secret)"
You see, if we omit step 2, then there is no guarantee for client authentication. Any client can invoke step1 with a different client_id and get an access token for that client_id instead of its own. That's why we need step2.
The mix-up came because the user on behalf of himself and not the client app authenticate against the authorization server (i.e. facebook).Its much simple to secure the client app (with https) then the user-agent (browser).
An authorization code represents the intermediate result of asuccessful end-user authorization process and is used by the clientto obtain access and refresh token. Authorization codes are sent tothe client's redirection URI instead of tokens for two purposes.
Browser-based flows expose protocol parameters to potentialattackers via URI query parameters (HTTP referrer), the browsercache, or log file entries and could be replayed. In order toreduce this threat, short-lived authorization codes are passedinstead of tokens and exchanged for tokens over a more securedirect connection between client and authorization server.
In another case, you may want a user to register/login to your app using some external auth service provider like Facebook, Google etc. In this case, your frontend will send the auth code to the backend that can be used to get access token from Facebook at serverside. Now your server becomes enabled to access user's FB data from the server.
Basically, as an extension of Lix's answer, the access code route allows a Resource Owner (i.e. the Facebook User) to revoke authorization for their User Agent (i.e. their browser), e.g. by logging off, without revoking authorization for an offline Client (i.e. Your Application).If this is not important, then there is no need to use the access code route.
Furthermore, the access code is provided to ensure that the Token provided to a server is actually registered to the Resource Owner (i.e. the Facebook User), and not the User Agent (or a Man-in-the-Middle).
If I'm correct, the code%20token is an optimization allowing both the User Agent to have a token and allowing for the server to initiate the token exchange process in a single request (as anything over Network IO is considered expensive, especially to a User Agent).
Retrieving a Facebook account is a relatively simple process that involves the use of a code that is sent to your email or phone number to help confirm that you own the account. However, there are cases of Facebook not sending the code due to several reasons. Here is a simple way to fix the issue of Facebook not sending code to email.
Resolving the Facebook code generator not sending SMS is quite an easy process. All you have to do is to turn on Facebook text in your Facebook settings. When that is done, the Facebook code generator not sending SMS will be resolved. Here is how to set up Facebook text:
Facebook typically sends a 6 digit code either to the phone number linked to your Facebook account or to a linked email address. If you are trying to reset a new password or trying to login with a new device and Facebook is not sending the 6 digit code that verifies that you own the account, here is what you should do to resolve Facebook 6 digit code not being received by you.
To set up security measures to make your account more secure, Facebook will suggest you turn on the two steps-authentication. It will request that you choose a method for receiving security codes in case you would like to log into your account with a different device or browser. However, if you add more than two phone numbers or emails, your account will be flagged as suspicious by Facebook, and as such your account can be locked temporarily.
If you notice you are not receiving a Facebook password reset code email in your mailbox, it means that the current email address you are expecting the mail to come through is not linked to your Facebook account. To resolve facebook not sending code to email, you will have to either receive the password reset code via the code generator as outlined above or you receive it via SMS. Here is how to resolve facebook not sending password reset code to email using SMS;
After signing up on Facebook, Facebook sends a code to either your email or phone number so as to verify your account. If you notice Facebook is not sending a confirmation code to your email, all you need to do to get the confirmation code is to
Facebook usually resets the password by sending either a reset password link to an email address or a reset password code to the phone number. You can fix Facebook by not sending SMS code to reset the password by getting the reset password link via mail. Here is how you can resolve Facebook not sending SMS code to reset password.
Facebook for Developers is an independent service. You can use your existing or you can register a new account which you will confirm using the verification code Facebook will send to your mobile phone.
Need to find someone's Facebook password because of an emergency? You may be able to recover it using Facebook's Trusted Contacts feature. This feature allows you to access someone's Facebook password and log into their account. It only works in certain circumstances though, which we'll go over below. Keep reading to learn how to retrieve someone's Facebook password using their email and the Trusted Contacts feature.
Facebook access token is an opaque string which is used to identify the user, application, or page and can be applied by the application to make graph API calls. Getting token for Facebook page is absolutely free. All you need to do here is open Graph API Explorer and follow these easy steps:
If you enabled two-factor authentication on Facebook, you can get a code via text on your mobile phone, using a third-party authenticator app like Google Authenticator, or by tapping your security key on a compatible device.
One of the easiest 2FA methods is to use a code generator app like Authy. These apps provide a random set of six-digit codes that allow access to hundreds, if not thousands, of websites. This is one of the simplest ways to enable 2FA, but it requires that you have access to your phone or tablet.
When you set up your two-factor authentication, you have a chance to receive a set of recovery codes. These recovery codes can be an invaluable way to get into your account should you not be able to use your code generator. To set up recovery codes:
Add a description of the issue along with an optional screenshot to help explain your exact issue and wait for Facebook to respond. Unfortunately, Facebook indicates they will not respond to every request, so this should not be your only effort to re-access your account.
Hi. My name is ____________. My email is ____________, and my Facebook ID is ______________. My Facebook account was hacked on ___date___. While I was able to reset my password after I confirmed my identity, I believe the hacker has set up 2FA, preventing me from logging in to my own account and accessing the code to log in. I am attaching an image of my ID as proof of my identity. I would appreciate you turning off the 2FA on my account so that I can log in again. Thank you.
But if someone picks up your phone and gains access to your Facebook data, they gain immediate access to information like locations, full names, addresses, and biographical information that could be used to further scam people or harvest more data. 2b1af7f3a8