Hi all,
I'm using the oauth 2.0 authentication within a canvas app. I just
noticed that I seem to be doing this in a non-standard way (or at
least - it does not appear document by facebook) - albeit that it
works.
Just wonder if others are doing this as well - and if there are any
adverse consequences of doing it this way?
I have a callback url like:
/oauth_redirect
After facebook authenticates the user, and the browser redirects to
this callback url, I have a code value in params[:code].
As per the oauth spec for web server flow - and facebook's own oauth
documentation for "Authenticating Users in a Web Application" [1], I
am then meant to exchange this code for an access token by calling:
https://graph.facebook.com/oauth/access_token?
client_id=...&
redirect_uri=
http://www.example.com/oauth_redirect&
client_secret=...&
code=...
However, as this is a canvas app, you will also find at this point a
signed_request value exists in the params. You can just extract the
token from this signed request without the additional roundtrip to the
server as described above.
Does anyone else do it this way? Pros/ cons?
thx
Murray
[1]
http://developers.facebook.com/docs/authentication/