Friday, February 14, 2014

How to retrieve Facebook profile using Apache Oltu

This tutorial shows you the basic of OAuth using Apache Oltu (Formely known as Apache Amber). We have created a Java Web Application that authenticates the user to Facebook via OAuth 2.0 and retreive the protected resources from Facebook.

Setup :
  • SSL enabled Tomcat Server as we have deployed our Web Application on tomcat. Click here for instruction on How to enable SSL on Apache Tomcat 7.0
  • Registered Facebook Application. Check here for instruction on How to register App on Facebook.
  • Download the OltuClientFB Application from the GIT repository.
  • If you are using Maven then add below dependency or download Apache Oltu client jars :

Run the Project :

Check out the project from the above URL, import into the eclipse and Run as a Server.

Navigate your browser to https://localhost:<port>/OltuClientFB. You will see the following page:

Click on the link and it will take you the Facebook page for Authentication :

Once you are login into Facebook, It will ask you to allow the Oauth application to access your private data:

Once you click on “Okay” button. It will display your profile detail like UserId, Name etc.

Code Description :


In the Servlet initParams, We have defined the clientId, clinetSecret and the redirectUri, You can change it as per your Apps.
// clientId is 'App ID '
@WebInitParam(name = "clientId", value = "YOUR_CLIENT_ID"),
// clientSecret is 'App Secret'
@WebInitParam(name = "YOUR_CLIENT_SECRET", value = "70ba69525274876dce9697ad183a9051"),
// This must be identical to 'Valid OAuth Redirect URI's'
@WebInitParam(name = "redirectUri", value = "https://localhost:7443/OltuClientFB/OAuthServlet/callback"),})

The Java Web Application act as a third-party website or termed as “client” which operate on behalf of a user. It first sends the request to Facebook which authenticates the user, obtain the user's authorization(i,e Approve/Deny page) and issues an access token which client can use while interacting with the resource server i,e Facebook to access public profile of the user.

End user Authorization request :

Created the End User Authorization Request by providing end-user authorization URI at the Authorization Server (e.g. Facebook), application's client id and a redirect URI in order to receive the authorization code. Apache Oltu has an enum OAuthProviderType for authorization and token endpoints of common OAuth 2 providers like Facebook.

OauthClientRequest authClientRequest = OAuthClientRequest

The above code will produce an OAuth request where all the parameters are encoded in the URL query.


Get Authorization Code from redirect URI :

Once the user grants permission for your client application, then the Facebook will redirects the user to redirectUri with the code in the request parameter.

OAuthAuthzResponse oar = OauthAuthzResponse.oauthCodeAuthzResponse(request); code = oar.getCode();

Exchange OAuth code for an access token :

Apache Oltu has two different classes to parse the access token response. Facebook’s response is not fully compliant with the final version of the OAuth 2 specification, but it can be parsed using the class GitHubTokenResponse.

OauthClientRequest authClientRequest = OAuthClientRequest.tokenProvider(OAuthProviderType.FACEBOOK)
//create OAuth client that uses custom http client under the hood
oAuthClient = new OAuthClient(new URLConnectionClient());
GitHubTokenResponse oAuthResponse = oAuthClient.accessToken(authClientRequest,
String accessToken = oauthResponse.getAccessToken();

Get Facebook profile data :

OAuthClientRequest bearerClientRequest = new OAuthBearerClientRequest("").setAccessToken(accessToken).buildQueryMessage();
OAuthResourceResponse resourceResponse oAuthClient.resource(bearerClientRequest, OAuth.HttpMethod.GET,

This class will display the user profile on the UI.

Summary :

This application demonstrates the basic of OAuth 2.0 using Apache Oltu i,e how to authenticates the user and retreive the protected resources from Facebook.

Resources :

Code download link: