Facebook Messenger: get access token of linked account

0
votes

First off, I'm not looking for the access token of a facebook account.

I (or my facebook messenger bot) need the access token of a linked 3rd party account.
The account was successfully linked as described here: https://developers.facebook.com/docs/messenger-platform/identity/account-linking

Slightly off topic: The first issue I noticed that does not meet the OIDC/OAuth2 specs is, that the redirect URI given to the /authorize endpoint expects a param "authorization_code" instead of "code" with the actual authorization code. Ok, good thing we do not use off-the-shelf software for the IdP, so I could mend that. Yet.

Now, I'm accustomed from the Amazon Alexa account linking to let the amazon do the token management, refreshing etc. and to deliver an 3rd party access token with every request.

But not with Facebook, it seems. As far as I managed to understand (not by the docs, but by try&error), for the Facebook Messenger the account linking is finished once they get the authorization code (and call an associated webhook). But since I need an actual access token for every request to my bot, that's not gonna help much.

It now looks as if I have to extend my bot to be a complete, but not standardised, OAauth2/OIDC client (including token handling, refreshing etc.) with some problems:

  • how to check the validity of the redirect URI?
    • should be the same as in the initial request
  • how to validate the authorization_code?
    • keep in mind, normally this bot has no connections/access to the database of the IdP
  • how to link this to a specific facebook user id?

My question now is, how to cope with that behaviour when I aim to use standardised software for the OAuth/OIDC IdP? Any ideas?

Thanks in advance Thomas

EDIT: To clarify what is meant by "account linking": I'm not interested in the users facebook account, I want to access information of a 3rd party account (provided with my actual service) of that user. For example a call like "How many pictures are in my tumblr account" will need the customer to link the tumblr account to this facebook messenger bot.

For comparison: this worked extremely smooth with Amazon's Alexa and Google Actions. I simply had to input the client credentials and OAuth endpoints and thats that. If the user successfully linked the 3rd party account, I get an access token with every query to my backend, as expected.

EDIT2: as pointed out by CBroe, this is not supported by Facebook. Only actually "linking" the User IDs is possible.

facebookoauthoauth-2.0access-tokenopenid-connect
developers.facebook.com/docs/facebook-login/… - CBroe
Well, thanks, but as mentioned in the first line of my question, I am not looking for the facebook access token. And since I never had the chance to tell my facebook app the token-endpoint of my IdP I doubt this is going to return an access token issued by my own IdP. And another issue: the authorization_code is quite short lived, so this would only give me an finite access_token which is not of much use. - thomas
Then I don’t know what you actual problem is. Account linking requires you to send the user through the FB login flow (if you want to link with the Facebook user profile), and the login flow ends with your app exchanging the code it got for an access token, so that you can then use that token to request user details, such as the app-scoped id. - CBroe
In that case I might clarify what is meant by "account linking" (as it is in the provided url): I do not need the facebook account of an user, I want the user to be able to link a 3rd party account (of my company/service) to this messenger bot so that the bot can use information of this service. E.g. "how many pictures do I have in my tumblr account" can only be done, if the user links the tumblr account to the facebook messenger bot and hin facebook account - thomas
“But not with Facebook, it seems.” - no, the whole purpose of this is only to create the initial “link”, between your page-scoped messenger id, and whatever external service you want to interact with. This messenger user id is associated with this Instagram account, that Amazon account and this Google profile. But that‘s it. If you need any access tokens or other authorization to perform actions within these external services, then you need to handle that yourself. - CBroe