Home/ Questions/Q 8317107
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T21:30:47+00:00

We have a spring web app with spring mvc controllers. It’s supposed to connect

  • 0

We have a spring web app with spring mvc controllers. It’s supposed to connect to our facebook app to get an authentication token to be used for further access. The communication with our App seems to work. When I hit the link

<a href="https://www.facebook.com/dialog/oauth?client_id=something&redirect_uri=http://our.domaine.register/postback?user_id=12345&scope=manage_pages&response_type=code">connect</a>

it will redirect me to facebook, I’ll enter my credentials and get redirected back to 

our.domaine.register/postback?user_id=12345&code=SoMEcOde

This again is one of our Spring MVC controllers but that doesn’t really matter because

the problem is, the code returned by facebook is a malformed accessToken,

meaning if I try to use it to access a protected resource it won’t work. Replacing the same call with an access token retrieved via graph API explorer it works fine.

The returned code has a peculiar format with ‘-‘, ‘_’ and ‘=’ characters in it which a normal access token never has.

So I’m assuming there has to be some kind of conversion to be done?! Or is it some kind of formating problem?

Returned token:

AQBoXkcR5zRUiuHoO_lLdQfnxxxxxxxxxxxxxxxxoPPvZQTeybT9ebsI2SD1Xk

Is code the same as accessToken?

The official documentation mostly just talks about using the anchor hash (REDIRECT_URL/#access_token=…) and accessing the access_token via javascript, though I have no idea why I would want to do that it’s not natural and not testable…

Has anyone used the code argument to map it as a request parameter so that it can be accessed in a controller?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The code they are returning to you is an OAuth authorization code, no access token. You have to exchange that one for an access token with another call. See point 4 in Facebook’s documentation for server-side authentication

    UPDATE:
    (Sorry, missed the headline, where you say “Client Side Authentication” ;))

    Use response_type=token instead of response_type=code, so you directly get an access token in return and not an OAuth authorization code. See the section Client-side authentication without the JS SDK on Facebook’s documentation for client-side authentication.

    UPDATE:

    As you are trying to develop a web application, the server-side authentication flow is the correct one to use. That means exchanging the authorization code (the one you get after redirecting the user) for an access token with another call.

    So if I understand it correct now, your problem is how you get the access token out of the response you receive. Check this example for how to do such things using Spring. For your case this would be something like to get the authorization code:

    @RequestMapping(value = "/postback", params = "code", method = RequestMethod.GET)
@ResponseBody
private void accessCode(@RequestParam("code") String code,
                            HttpServletRequest request,
                            HttpServletResponse response) throws Exception {
        //Now the variable 'code' holds the authorization code
}
    • 0