I have a web service rest implemented and I'm working on security at the moment.
This web service was implemented using Spring boot. Initially I will have clients as an Android app and a web app, but in the future I think of making this API public, so I have to think about this issue as well.
I researched a lot about Spring Security Oauth2, but there were basically two doubts:
One possibility is to go for a federated identity management system like keycloak. Keycloak offers adapters for spring as well as android has full OAUTH2 support and gives you the possibility to use Facebook as identity provider. It gives you a lot of benefit, as lot of the features you most likely need are already there. On the other hand it is a big topic so be aware that it will take you some time to bring the whole setup alive. You will need to host keycloak, configure clients for Android app and you Web application, introduce keycloak adapter to both Android application and Web application and finally configure Facebook as identity provider.
Have a look here, this seems promising. In general, I have to admit that I didn't integrate keycloak with facebook or Android myself. We utilize it to secure our spring-boot and Java EE applications. I only was heavily involved in this in integration and by that stumbeld upon the stated functionality. There is also the possibility to do OAUTH2 in Android by hand see. Here is an example how to do facebook integration. I hope this helps and good luck ;)