24
votes

Facebook has two flows for Authentication, client-side and server-side. When should each one be used?

Facebook docs: https://developers.facebook.com/docs/authentication/

Possibly related: What is the purpose of the implicit grant authorization type in OAuth 2?

2

2 Answers

13
votes

Depending on your needs you can use one or the other or both. If you want calls to facebook to be processed before the user sees a certain page then use server side... however if you want to display partial information until the user has authenticated, use javascript authentication.

It boils down to this:

  • Javascript authentication can happen with-in a popup window and does not require a page reload you can also just perform a top.location.href redirect.
  • PHP authentication involves a redirect to an authentication page.

Also see this thread, in particular this response.

1
votes

To add to @Lix's answer, I would say:

Client Side Authentication

  • When you want some information from Facebook API about the user that is required once, as in you only need to get it once like the user's name and email.
  • When you want to temporarily access/manage the user's information/data and don't need to do it often.
  • You get a temporary token, which is valid only for a few hours and you need to get a new token to call the Facebook API again after it has expired (which requires the user has to grant permission again).

Server Side Authentication

  • You want to manage the user's data (on their behalf) after the user has left your website/app. Example, gathering the user's feed/timeline data on a regular basis.
  • When you want to access/manage the user's information/data in a recurring fashion untill the user hasn't revoked access to your client id (represented by a Facebook app).
  • You get both a temporary token and a permanent token (which lasts for about 60 days at the time of writing this). You can get a new temporary token by using the permanent token every time you need to call the Facebook API (given the previous temporary token has expired) -- without bothering the user to grant permission again.

So, in short, for short term use, follow client-side authentication flow and for long term use follow server-side authentication (given you have a backend server of your own).