Believe it or not, facebook changed part of its api again. Since today, authorizing for iframe applications does not work the same way it used to. Previously it was enough to redirect:
https://graph.facebook.com/oauth/authorize ?client_id=268718683475 &redirect_uri=http://apps.facebook.com/blogoauthgraph/ &scope=publish_stream,user_photos,user_photo_video_tags
… where facebook authorized your app and redirects back to the:
… where session was valid access_token.