0

I've read many documents about API's but they don't seem to mention API's for private accounts instead of publicly accessible information.

How does an API work to request private account data? How does it get the login details or session cookie?

For example:

The Facebook API to post to your timeline from a third party website.

If I'm already logged into Facebook and clicked the 'connect' button on a third party website, the API allows me to then post to this website.

How does it prove it is me who sent this, since it can't access the session cookie?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
John
  • 1
  • I recommend you read latest book to cover this knowledge of `authentication`, `authorization` and other core concept in related API's. Oauth 1.0 and Oauth 2.0 handles these differently and so does other technologies. My recommendation would be to read `Advanced API Security Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE` which is latest de-facto industry based security book. – Shritam Bhowmick Sep 04 '15 at 20:46

1 Answers1

1

In the majority of cases, this kind of social authentication is based on some form of (hopefully) secret authentication token that is generated at the time you allow access and is stored on the 3rd party service.

When the 3rd party service makes a request from then on, they pass the authentication token they have stored and Facebook then allows them to post on your behalf.

You can read more about Facebook's "access tokens" here

Nic Barker
  • 1,170
  • 7
  • 11