Facebook oauth authorize URL and parameter options

Alan Wells picture Alan Wells · Apr 2, 2014 · Viewed 26.5k times · Source

Facebook provides some documentation on the parameters of oauth login.

Login Dialog OAuth 2

Parameters are:

  • client_id = Your App ID
  • redirect_uri = Your App Website URL
  • display = page, popup, iframe, async, touch. How to display login.
  • scope = permission names. Permissions your app is asking the user to grant to your app.
  • state = a string included in the response back to your app.
  • response_type = code or token or both. Used in different ways depending on authorization flow.

Is there more information about different types of oauth functionality and the parameters that go with it?

I want information on how to structure the URL for oauth. I know of a couple of configurations. For example:

https://www.facebook.com/dialog/oauth?
   client_id=YourAppID
   &redirect_uri=The URL that you designated in your App Settings for your App
   &response_type=token //Whether you want a `code` returned, or a `token` returned, or both
   &scope=publish_stream // scope prompts the user for the type of permissions being asked for

I saw a discussion that showed this:

https://graph.facebook.com/oauth/authorize?
   client_id=123456789
   &redirect_uri=http://example.com/
   &scope=publish_stream,share_item,offline_access,manage_pages

Note the difference's of the URL's:

/dialog/oauth?

or

/oauth/authorize?

What does authorize do? Does it GRANT permissions instead of ASKING for permissions? Where is the documentation on this?

Answer

Abhinay picture Abhinay · Jun 5, 2015

https://graph.facebook.com/oauth/authorize is also to logging in the person -- Like authenticating a person and to take permission from person whether to access the requested permissions by app.

oauth/authorize is graph api call. I think major difference may be when you want to build the login flow manually you should use /oauth/authorize.. else if you are using javascript/Apps api provided by facbook it uses /dialog/oauth. Apps normally need to confirm that the response from the Login dialog was made from the same person who started it. If you're using Facebook's JavaScript SDK it automatically performs these checks so nothing is required, assuming that you're only making calls from the browser. More over we can make graph api calls secure by applying appsecret_proof.