When I recently conducted an API Management Training, one of the questions was: Do we also support Facebook Login on API Management itself? When thinking about it, there were two voices in my head, the Architect’s voice telling me that this should be handled in the Identity Provider (i.e. SAP Cloud ID), the Developer’s voice was telling me to get started and subscribe to a Facebook developer account. Fortunately for this Blog, the Developer’s voice won.
I will describe what needs to be done to integrate API Management into the Facebook OAuth 2 login flow and to internalize the resulting OAuth 2 token, so that the same token can be used for Graph API and API Management. The provided code snippets and the proxy focuses more on getting the job done and not on (very valid) security concerns resulting from it.
- API Management Subscription (If you don’t have one already, my colleague Divya Mary describes how to subscribe for the free trial here: https://blogs.sap.com/2016/02/02/free-trial-of-sap-api-management-on-hana-cloud-platform-is-available-now/)
- Facebook Account (no need to explain how to get this)
The blog will be written in 3 stages. The first one (below) describes how to signup on Facebook. The 2nd and 3rd will focus on API Management itself.
Signing up as a Developer on Facebook
In order to use the Facebook APIs you need to signup as a developer and register your APP in Facebook (https://developers.facebook.com/).
Once signed-up you need to create an APP (the Facebook representation of API Management). This is done in the upper right corner of the screen:
Here you need to provide a name and a contact e-mail:
Like in API Management you need to select a product, which is called “Facebook Login”.
Now half the job is done. In the settings of our newly registered Facebook Login App we will now have to enable “Client OAuth Login” and provide a redirect URI. The theory behind this can be found in the Official OAuth 2 specification (https://tools.ietf.org/html/rfc6749#page-24):
The redirect URI should point to an API Proxy on your API management instance. In this proxy, where we will later receive the Authorization Code from Facebook and exchange it for a Facebook Bearer Token. This token will enable us to act on behalf of the user, using the Graph API. If you don’t know the redirect URI at this point in time, just set it to any valid URI and change it later on.
In the next step we need to make the API public. This is necessary so that users other than yourself can authorize API Management:
Now we need to collect our App ID and Secret. This is done in the Dashboard:
Now we have all the the necessary things to start building our API Proxy:
- Redirect URI (Can be changed later)
- App ID
- App Secret
With this we can move to part 2 (https://blogs.sap.com/2017/07/14/implement-facebook-login-on-sap-api-management-part-2/)