This questions is related to ServiceStack OAuth authentication flow. Debuging the FacebookAuthProvider i see that if the code parameter isn't null (obtained from a redirection to Facebook dialog url), it uses it to obtain an Access Token. The AuthProvider does the same with OAuthAuthorizer.
How about using the Javascript SDK to obtain an Access Token (with the modal in a popup, without the redirection) for Single Page Applications. Is there any endpoint to authenticate an user with the Access Token issued?
Also, do you consider this an security flaw? I believe that if a user first sign with Credentials Provider, and then with an OAuth Provider the ServiceStack creates two separated accounts. If the server validates the Access Token with Facebook API and returns an valid response i think that should be okay to sign an already existing user in application (i guess looking for any AuthUserDetails with the provider equals to facebook should be enough to trust).