How to verify Authentication with Facebook Token

First we need to understand what is going on when user submit the request using their facebook account for login

1) User submit the REQUEST using their Facebook account
The mobile app or website will send a “Request” to Facebook

2) Facebook return “FB token” with some params back to the app

3) The mobile app / application will call the API communicate with the database. There is some params will be passed to the database via the API call at the same time. http://localhost:8000/api/social/convert-token

4) Once the database retrieve the API call with the FB token, the “Django Rest Framework Social Oauth” will “Create User + Access_token” in the database

5) Django Rest Framework social Oauth / database will return the “Access_token & Refresh_token” back to the application

Now, we understand the process / protocol and what information have been sent between app and the database. And how user get the access token and refresh token. It is time for testing. As we don’t have the application ready yet, we can use “POSTMAN” for testing purpose to verify our API and backend database.

First we need to get the FB token from Facebook
Copy the “User Token”

In the POSTMAN, Use “POST” with the following Params

  • grant_type – convert_token
  • client_id
  • client_secret
  • backend – facebook
  • token – [ that’s the user token you just generate from the facebook ]

Then “Send”, if you can see the access token return from the database in JSON format. It means working fine. You should see user create in the Django database and there is access token associate with the user. However, the access token we used it doesn’t retrieve the email address of the user.

Screen Shot 2017-02-20 at 6.09.17 AM.png

In order to get the email address of the user, we need to get the access token from

Select “Get User Access Token” from the pop down list.

Screen Shot 2017-02-20 at 6.15.19 AM.png

And replace the previous token with the latest one which you just get it from

Send the request from the POSTMAN again. After that, if you check the user info in the Django again. You should be the user profile with email info now.

Screen Shot 2017-02-20 at 6.18.00 AM.png

To test the logout, it is easy.

It is similar for the Sign in process. In the POSTMAN, open another TAB and send the request with the following params

  • client_id
  • client_secret
  • token

If everything works fine, you should not expect to see anything return from the database.

Screen Shot 2017-02-20 at 6.21.03 AM.png

To confirm, check the Access tokens in the Django. The token should be removed


About whoismikechan

I am just a guy who has a family, working daily with my daily work, but always dream about to have my own startup company.
This entry was posted in facebook, Postman, Python. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s