HTML and CSS Reference
scope is a comma-separated list of permissions that are being requested from Facebook. There
is a full list in Facebook's developer docs, referenced earlier, but the only one used in this topic
is email . 3
state is an arbitrary string generated to guard against cross-site request forgery. This is
technically optional, but it should be used.
Obtaining Authorization from the User
After the user clicks the login link generated in the previous section, she will see Facebook's authorization dialog. This
shows her what permissions were requested and gives her the option to confirm or deny that she wishes to grant these
permissions to your app.
Assuming that she approves the authorization request, Facebook will redirect her back to your app's
authorization endpoint, which was passed in the redirect_uri parameter of the login link. Facebook will send back a
code and the value of state from the login link, which will look something like this:
■ the value of code will be a long string generated by Facebook that is unique to each request.
CODE_GENERATED_BY_FACEBOOK is a placeholder.
Requesting an Access Token
Armed with the value of code , your app can request an access token from Facebook. This is accomplished by sending the
code , your app's credentials in client_id and client_secret , and your app's authorization endpoint in redirect_uri .
The URL will look something like this:
■ the value of client_secret is the other part of the credentials provided for your app by Facebook after it's
registered. the value YOUR_APP_SECRET is a placeholder and should be replaced with your app's credentials.
Assuming that all the required parameters are correct and valid, Facebook will return an access token in
access_token , along with an indication of how long the token is valid (in seconds) in expires .
■ the value of access_token is a unique value generated by Facebook. the value of expires will be an integer.
the current values USER_ACCESS_TOKEN and NUMBER_OF_SECONDS_UNTIL_TOKEN_EXPIRES are placeholders.