Facebook oauth authorize URL and parameter options

facebook facebook-graph-api oauth facebook-oauth
Alan Wells picture Alan Wells · Apr 2, 2014 · Viewed 26.5k times · Source

Facebook provides some documentation on the parameters of oauth login.

Login Dialog OAuth 2

Parameters are:

  • client_id = Your App ID
  • redirect_uri = Your App Website URL
  • display = page, popup, iframe, async, touch. How to display login.
  • scope = permission names. Permissions your app is asking the user to grant to your app.
  • state = a string included in the response back to your app.
  • response_type = code or token or both. Used in different ways depending on authorization flow.

Is there more information about different types of oauth functionality and the parameters that go with it?

I want information on how to structure the URL for oauth. I know of a couple of configurations. For example:

https://www.facebook.com/dialog/oauth?
   client_id=YourAppID
   &redirect_uri=The URL that you designated in your App Settings for your App
   &response_type=token //Whether you want a `code` returned, or a `token` returned, or both
   &scope=publish_stream // scope prompts the user for the type of permissions being asked for

I saw a discussion that showed this:

https://graph.facebook.com/oauth/authorize?
   client_id=123456789
   &redirect_uri=http://example.com/
   &scope=publish_stream,share_item,offline_access,manage_pages

Note the difference's of the URL's:

/dialog/oauth?

or

/oauth/authorize?

What does authorize do? Does it GRANT permissions instead of ASKING for permissions? Where is the documentation on this?

Answer

Abhinay picture Abhinay · Jun 5, 2015

https://graph.facebook.com/oauth/authorize is also to logging in the person -- Like authenticating a person and to take permission from person whether to access the requested permissions by app.

oauth/authorize is graph api call. I think major difference may be when you want to build the login flow manually you should use /oauth/authorize.. else if you are using javascript/Apps api provided by facbook it uses /dialog/oauth. Apps normally need to confirm that the response from the Login dialog was made from the same person who started it. If you're using Facebook's JavaScript SDK it automatically performs these checks so nothing is required, assuming that you're only making calls from the browser. More over we can make graph api calls secure by applying appsecret_proof.

Related questions

FB.getLoginStatus does not fires callback function

I have a difficult problem. Difficult means I searched through the net and StackOverflow as well the whole FBJS SDK documentation and haven't find answer. I am building a Page Tab application where I'd like to let fans to rsvp …

Read More
Facebook OAuth "The domain of this URL isn't included in the app's domain"

Let me first start with saying I've searched for an answer to this question for quite some time... I'm trying to setup Facebook OAuth to work with my application that is being developed locally on my machine. Everything was working …

Read More
Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."

Important notice: If you register for testing, go to your profile settings and to your interests add delete profile. Trying to login with Facebook to my website: I get the following error: URL Blocked: This redirect failed because the redirect …

Read More