1

I'm doing a facebook app and I've followed the custom login flow instructions and I have a question on the last step:

1) I start by doing a call to /dialog/oauth to get a login code.

2) With the code I will request an access token, by hitting the graph.facebook.com/oauth/access_token and that's fine as well.

3) The instructions now say I should validate the code and token to make sure they are from the sources that requested them. 

GET graph.facebook.com/debug_token?
     input_token={token-to-inspect}
     &access_token={app-token-or-admin-token}

My questions are:

  • What is the input_token in my scenario?
  • Do I need to do this in my flow? And why if yes?

If I just pass the same value(access_token) in both parameters I get a valid anwser but I don't know if this makes sense.

Thanks in advance.

bitoiu
  • 6,893
  • 5
  • 38
  • 60
  • In case you are doing login flow using the `code` parameter only, there is no need to do this. Have you requested a `token` parameter in your login dialog call …? If not, then there is nothing to worry about (apart from your skill in reading documentation _correctly_ …) – CBroe Mar 22 '14 at 19:29
  • Btw., your question is tagged with `javascript` only, no server-side techniques mentioned – I hope that you are __not__ doing the exchange of `code` for an access token client-side …? – CBroe Mar 22 '14 at 19:33

1 Answers1

2

This question has already been asked: how to verify facebook access token?

And: Verify Facebook Access Token for specific App

And: verification code example

It's simply a unit test to see if your code is still valid (to catch a bug early so it can't do any big damage).

If the access token is not valid, you can for example show a message to the user that there is a bug etc.

Community
  • 1
  • 1
Jean-Paul
  • 19,910
  • 9
  • 62
  • 88
  • "It's simply a unit test to see if your code is still valid (to catch a bug early so it can't do any big damage)." - thanks – bitoiu Mar 23 '14 at 11:02