Home/ Questions/Q 7862227
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T23:02:59+00:00

I’m using FB.login on the JS client and want to verify the user’s identity

  • 0

I’m using FB.login on the JS client and want to verify the user’s identity on the server. So, the client gets a signedRequest from facebook and sends it to the server. The server splits on the period, and decodes the second part of the signedRequest into a json object.

What should I be using for “code” when I send my server-side request to 

https://graph.facebook.com/oauth/access_token?
    client_id=YOUR_APP_ID
   &redirect_uri=YOUR_REDIRECT_URI
   &client_secret=YOUR_APP_SECRET
   &code=CODE_GENERATED_BY_FACEBOOK

My decoded json looks something like: 

{"algorithm":"HMAC-SHA256","code":"2.AQCPA_yfx4JHpufjP.3600.1335646800.1-5702286|l11asGeDQTMo3MrMx3SC0PksALj6g","issued_at":1335642445,"user_id":"5232286"}

Is that the code I need? Does it need to be B64 encoded? If this isn’t the code, what code should I use?

_

What I’ve tried:

The request I’m trying to use is: 

https://graph.facebook.com/oauth/access_token?client_id=295410083869479&redirect_uri=https://squaredme.appspot.com/facebookredirect&client_secret=44f1TOPSECRETbb8e&code=2.AQCPA_yfx4JHpufjP.3600.1335646800.1-5702286|l11asGeDQTMo3MrMx3SC0PksALj6g

but this returns the error:

{"error":{"message":"Error validating verification code.","type":"OAuthException","code":100}}

I can’t tell if this is because I’m using a bad code, or what. Noteably, this is running on my local dev server, and squaredme.appspot.com definitely does NOT resolve to my IP. I don’t know if facebook checks that or what – I’m assuming I’d get a better error message. Thanks for any direction!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are trying to somehow combine the two flows together and that’s why things don’t work well.

    When facebook POSTs into the iframe with your app url and a signed request there are two options, the easy one being that the user is already authenticated and then the signed request will have all the necessary data (including a signed request), then you just load the canvas page and use the JS SDK to get an access token there as well, but in this case there’s no need to use the FB.login (since it opens a popup and will automatically close it), you can use the FB.getLoginStatus method which won’t annoy the user.

    If the user is not authenticated then the sign request will be missing the things you need to use the graph api.
    You then redirect the user to the auth dialog, and since you are loaded in an iframe you’ll need to return a html response which redirects the parent window using javascript, like:

    top.location.href = "AUTH_DIALOG_URL";

    When the use is done (accepted or rejected the app) he will be redirected to the “redirect_uri” you added as a parameter to the auth dialog.
    If the user accepted your app then you’ll be getting the “code” parameter in the query string.
    You then take the code, exchange it with an access token as you posted in your question, and then redirect the user back to “apps.facebook.com/YOUR_APP”.

    When the page then loads the user is already authenticated and you’ll be getting a full signed request.

    I hope this clarifies things for you, recheck the Server-Side flow it pretty much covers it all.

    • 0