Accept facebook login in my REST API

I have a server server (Java / Spring / Spring Security). Currently, users with a mobile login simply submit their username / password and Spring Security creates a session and assigns it to the request using JSESSIONID.

Now we also have a button in the Facebook Login mobile app. Here is my understanding of how this will work.

• mobile application uses facebook sdk to get "access_token"
• mobile application retrieves user profile from facebook (first name, last name, email address, etc.)
• mobile check (against MY server) if the username is unique
• If the username is unique, call the MY REST api, with something like this / login / facebook POST over SSL and passing access_token, email, username, etc.)

• my server then checks if access_token is really

  GET graph.facebook.com/debug_token? input_token={token-to-inspect} &access_token={app-token-or-admin-token}

• If yes, if the UID returned by facebook is already in my local database, I log in to the following user:

 SecurityContextHolder.getContext().setAuthentication( new UsernamePasswordAuthenticationToken(username, null, ROLE_USER)); 

7. If I do not find the UID, I just create a new user and enter the user.

8. and from now on, every request made on the mobile device by the server will have SEASON (created and attached by the Spring system), and the mobile application will authenticate

Can someone tell me if this is a good way to do something? Should I stop using sessions and switch to Spring-Security-OAUTH2?

EDIT 1

Based on the Dave recommendations, the updated Spring-security config is provided:

  <!- handle login by providing a token--> <security:http pattern="/login/facebook" auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"> <security:custom-filter ref="facebookLoginFilter" position="FORM_LOGIN_FILTER"/> <security:intercept-url pattern="/**" access="isAuthenticated()" /> </security:http> <bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <constructor-arg value="/login/facebook"></constructor-arg> </bean> <!-- handle basic username + password logins--> <security:http auto-config="true" use-expressions="true" entry-point-ref="forbiddenEntryPoint"> <security:form-login login-processing-url="/security_check" authentication-failure-handler-ref="authFailureHandler" default-target-url="/" always-use-default-target="true" authentication-success-handler-ref="authSuccessHandler" /> ... my others patterns.. ... </security:http> <bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> <bean id="authSuccessHandler" class="my.package.AuthenticationSuccessHandlerImpl"/> <bean id="authFailureHandler" class="my.package.AuthenticationFailureHandlerImpl"/> <bean id="facebookLoginFilter" class="pl.jcommerce.ocean.web.ws.controller.FacebookLoginFilter"> <property name="requiresAuthenticationRequestMatcher" ref="loginRequestUrlHandler"></property> <property name="authenticationManager" ref="authManager"></property> </bean> <security:authentication-manager id="authManager"> <security:authentication-provider ref="facebookAuthenticationProvider" /> </security:authentication-manager> <security:authentication-manager> <security:authentication-provider ref="webServiceUserAuthenticationProvider" /> </security:authentication-manager> <bean id="loginRequestUrlHandler" class="org.springframework.security.web.util.matcher.RegexRequestMatcher"> <constructor-arg index="0" value="/login/facebook" /> <constructor-arg index="1" value="POST" /> <constructor-arg index="2" value="false" /> </bean>