I’ve been struggling through Facebook authentication for a canvas app for a while. My approach is as follows:
- Check the user’s session for an access token.
- Check the user’s Facebook cookies for an access token.
- Check the parameters for a
signed_request.
If an access token is found during any of those 3 steps:
- I make a call to the graph API requesting the
/meresource.- If the call is successful, the user is logged in.
- If the call fails (causes an
OAuthException), I request a new access token by redirecting the user to the Facebook OAuth endpoint to obtain a code, then obtaining a fresh access token by exchanging that code.
If no access token is found in the session, cookies, or signed_request, I display a landing page.
Is this the correct procedure? I’ve noticed that oftentimes there is no signed_request present in the parameters if the user’s access token has expired. The method Facebook endorses for requesting a fresh access token results in 2 user-facing redirects as well as an API exchange, which seems a bit heavy.
The setup I’m working in is:
- Rails v3.0.8
- Koala gem v1.2.1
I’ve followed these guides:
Have you considered using Omniauth? (https://github.com/intridea/omniauth) It wraps up all this stuff and lets you easily extend to other sites as well.