Facebook code parameter for OAuth authentication

2
votes

I build a FB app which does the following:

1) redirect initial request to FB, in order to authenticate/login, as follows:

https://www.facebook.com/dialog/oauth?client_id=MYAPPID&redirect_uri=http://localhost:8080/FB/servlet&scope=read_stream&response_type=code

2) in servlet, get the "code" parameter (which is the signed_request?):

 String signedReq = request.getParameter("code");

// the String retrieved from the code parameter is:
//3DaDJXq1Mlsq67GbeudlUxu7bY5Um4hSJlwzoPCHhp4.eyJpdiI6Ikc1ODNuRjZXbnhCb0hUV1FEMVNTQUEifQ._iXKxSGiNHfc-i5fRO35ny6hZ03DcLwu4bpAkslqoZk6OfxW5Uo36HwhUH2Gwm2byPh5rVp2kKCNS6EoPEZJzsqdhZ_MhuUD8WGky1dx5J-qNOUqQK9uNM4HG4ziSgFaAV8mzMGeUeRo8KSL0tcKuq

//This parameter contains '#_= _' at the end in the actual "code" but i am not able to get it through the request.getParameter("code");This is a java web app.

1
javafacebookoauthtoken
Are you sure that parameter name is "code" and not "signed_request"? - narek.gevorgyan

1 Answers

3
votes

Copied from the Facebook API's OAuth Page

With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls. In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token. The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).

https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

If your app is successfully authenticated and the authorization code from the user is valid, the authorization server will return the access token.

So yeah, This is pretty standard for OAuth. Grab a success code, punch it into the above url (with the appropriate client_id, client_secret, and a redirect_uri) and you should be cash. You'll get an access token back, and it's party time from there.

Read that Facebook API article. It was pretty informative. If you have questions about it, I'd be happy to help.

Good luck :)