Facebook Web User Authentication

UML Sequence Diagram Example

An example of UML sequence diagram which shows how Facebook (FB) user could be authenticated in a web application to allow access to his/her FB resources. Facebook uses OAuth 2.0 protocol framework which enables web application (called "client"), which is usually not the FB resource owner but is acting on the FB user's behalf, to request access to resources controlled by the FB user and hosted by the FB server. Instead of using the FB user credentials to access protected resources, the web application obtains an access token.

Web application should be registered by Facebook to have an application ID (client_id) and secret (client_secret). When request to some protected Facebook resources is received, web browser ("user agent") is redirected to Facebook's authorization server with application ID and the URL the user should be redirected back to after the authorization process.

User receives back Request for Permission form. If the user authorizes the application to get his/her data, Facebook authorization server redirects back to the URI that was specified before together with authorization code ("verification string"). The authorization code can be exchanged by web application for an OAuth access token.

Sequence diagram example - Facebook User Authentication in a Web Application.

Facebook user authentication UML sequence diagram example.

If web application obtains the access token for a FB user, it can perform authorized requests on behalf of that FB user by including the access token in the Facebook Graph API requests. If the user did not authorize web application, Facebook issues redirect request to the URI specified before, and adds the error_reason parameter to notify the web application that authorization request was denied.