The OAuth Dialog is used within the authentication flows to enable a user to authorize your application and to grant additional permissions to your app. Facebook's authentication flows are based on the OAuth 2.0 protocol.
To invoke the OAuth Dialog, redirect the user's browser to a URL of the form:
http://www.facebook.com/dialog/oauth/? client_id=YOUR_APP_ID &redirect_uri=YOUR_REDIRECT_URL &state=YOUR_STATE_VALUE &scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES
The OAuth Dialog supports the following parameters which may be passed in the URL string:
||Yes*||Your App ID. This is called
||Yes*||Should not be set when using the JS SDK to invoke the dialogsThe URL to redirect to after the user clicks a button in the dialog. The URL you specify must be a URL of with the same Base Domain as specified in your app's settings, a Canvas URL of the form
||No||A comma separated list of permission names which you would like the user to grant your application. Only the permissions which the user has not already granted your application will be shown|
||No||A unique string used to maintain application state between the request and callback. When Facebook redirects the user back to your
||No||The requested response type, one of
||No||The display mode with which to render the Dialog. One of
*Important: When using the JS SDK, do not specify
redirect_uri - these will be set by the SDK.
If the user authorizes your application, the browser will redirect to the URL you specified in the
response_type was left unset or was set to the value
code, if the user authorizes your application, the browser will be redirected to:
YOUR_REDIRECT_URI? code=OAUTH_CODE_GENERATED_BY_FACEBOOK &state=YOUR_STATE_VALUE
See the server-side authentication documentation for how to exchange this code for a user access token.
response_type was the value
token, if the user authorizes your application, the browser will be redirected to:
YOUR_REDIRECT_URI# access_token=USER_ACCESS_TOKEN &expires_in=NUMBER_OF_SECONDS_UNTIL_TOKEN_EXPIRES &state=YOUR_STATE_VALUE
See the client-side authentication documentation for more on how to handle this response.
If the user does not authorize your application, the browser will redirect to
YOUR_REDIRECT_URI? error_reason=user_denied &error=access_denied &error_description=The+user+denied+your+request. &state=YOUR_STATE_VALUE