Neverending Facebook API changes

Believe it or not, facebook changed part of its api again. Since today, authorizing for iframe applications does not work the same way it used to. Previously it was enough to redirect:

… where facebook authorized your app and redirects back to the:

… where session was valid access_token.

Since today the mechanism changed into something like this:

… redirects you to the:

… while you do not have valid session (access_token), you have to do the following request:

… now facebook responds with:


Notice, this is the response, not the redirect! Now its time to grab the access_token and use it in your app. This change has direct impact on Authorizing Iframe Facebook Applications For Graph API article.

There have also been some other unannounced changes e.g. in facebook app settings in migrations tab “Remove fb_sig” toggler…

Credits goes to my readers Adam Cousins, David Bardos, Garcimore, Etienne for noticing the changes.

I have just spotted quick fix. All you need to do is add type=user_agent into your auth request:

… now facebook redirects you to:

This token is valid! I have updated the article with this quickfix.

updated Jul 22, 2010: Facebook rollbacked the change and added “Canvas Session Parameter” parameter in facebook app settings / Migrations tab. With this setting enabled, your apps should work normally as they previously did.

24 comments so far

  1. jassa July 21, 2010 14:41

    Thanks for the update – much appreciated. I tried the quick-fix but it didn’t seem to work. My page just keeps redirecting back and forth. Do I also need to worry about the “Remove fb_sig” or any of the other settings?

  2. jassa July 21, 2010 15:07

    Nevermind the last comment – I made the change to line 51 of my html but not line 36 😛
    All good now 😉 Thanks!

  3. Adam Cousins July 21, 2010 17:09

    Thanks so much for the quick fix and for responding quickly.



  4. miguelMoraleda July 21, 2010 17:35

    Have you the link with the announcement from facebook of all changes ?

  5. Jozef Chúťka July 22, 2010 09:26

    @miguelMoraleda, I wish something like that existed… but I am unable to find any valid source

  6. David Bardos July 22, 2010 10:17

    You are fast, mate! 🙂

  7. Toby Skinner July 27, 2010 13:56

    One things that’s been concerning me.

    In order to request an access_token we need to pass across the client secret, which means getting it into the flash app somehow.

    At the moment I am compiling the app with the secret embedded and getting everything else dynamically, is this a security risk? Maybe i’m missing something?



  8. Jozef Chúťka July 27, 2010 14:11

    @Toby, you do not need secret for logging in with FacebookOAuthGraph

  9. Toby Skinner July 27, 2010 14:47

    Ok so my understanding of your approach is this:

    Your FacebookOAuthGraph uses ExternalInterface to popup a call to /oauth/authorize which calls callback.html which in turn calls confirmConnection with an access_token.

    I think I realise that your approach relies on the ‘Canvas Session Parameter’ being enabled, do you think this is good practice as it seems to bypass the code > access_token call.

    Am I right in thinking that if I enabled ‘Canvas Session Parameter’ then I would not need the call to /oauth/access_token since /oauth/authorize would return the access_token direct (instead of an intermediate code).



  10. Jozef Chúťka July 27, 2010 15:00

    @Toby there are two types I use:
    1. standalone app, opens popup “/oauth/authorize” + “type=user_agent”, fb redirects you to your callback with #access_token=123 (url hash)
    2. I use “Canvas Session Parameter” enabled for iframed application. here the auth process goes by redirecting (no popup): my iframe app –(need token?)–> /oauth/authorize –> my iframe app (session param passed into iframe as GET)

    … now for iframed apps you have alternative choices:
    1. use type=user_agent and facebook pushes access_token as GET param into iframe
    2. make auth call without type=user_agent and facebook pushes session GET param into iframe (Canvas Session Parameter enabled required)

    I do not use /oauth/access_token, I find it useless while the mentioned works.

    Q: Am I right in thinking that if I enabled ‘Canvas Session Parameter’ then I would not need the call to /oauth/access_token since /oauth/authorize would return the access_token direct (instead of an intermediate code).
    A: yes, you are right, depends … goto line 1 :}

  11. Toby Skinner July 27, 2010 15:29

    Great stuff, thanks very much.

    I opted for enabling the ‘Canvas Session Parameter’ option which has made things much simpler and I’ve been able to completely remove the call to /oauth/access_token which was a nasty security hole.

    Many thanks


  12. Shaw August 8, 2010 22:08

    Thanks for the


    Parameter. Unfortunately I get a 400 Bad request error when I make a call to file_get_contents(…) in php. Any ideas on a solution?

  13. Jozef Chúťka August 9, 2010 09:59

    hi Shaw, is there any description attached with the response?

  14. Flop August 10, 2010 20:43

    Cant load binnary data from Graph API in flash
    because of crossdomain policy restrictions
    binnary data – its redirect to static server without permisions in crossdomain.xml

    for example
    redirecting to
    and flash cant load it – Error #2048: Security sandbox violation

  15. Jozef Chúťka August 12, 2010 10:26

    @Flop you are right, please read

    you may use Loader insted of URLLoader, if you do not need to access the returned bitmapdata (just displaying image)

  16. Alex Butin August 25, 2010 23:01

    What is a “client_id” and where I can get/read it?

  17. Jozef Chúťka August 26, 2010 13:16

    @Alex client_id is your facebook application ID

  18. MauroX October 20, 2010 22:29

    Hi Jozef,
    I am writing to ask how to do to close the session that is triggered when a user connects to Facebook
    from my application.

  19. Jozef Chúťka October 21, 2010 17:43

    Hi MauroX,
    what exactly do you need? to remove stored access_token in SharedObject? = null;

    or actual access_token?
    _token = null;
    _authorized = false;

  20. Martha November 19, 2010 06:08

    For the authorization response above, I am getting a ‘#’ instead of ‘?’. Any solution for this?


  21. Jozef Chúťka November 19, 2010 19:01

    Hi Martha yes it pushes # instead of ? so you have to parse it via javascript

  22. Martha November 23, 2010 07:56


    Thanks a lot.


  23. annie February 21, 2011 07:29

    hi, i’m a newbie. i followed the code and included the quickfix &type=user_agent. also, enabled the canvas session parameter and it keeps redirecting back and forth? can i ask what am i missing?

  24. Jozef Chúťka February 22, 2011 12:58

Leave a comment

Please be polite and on topic. Your e-mail will never be published.