facebook api & oauth protocal

http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-10.5

http://stackoverflow.com/questions/14010876/cant-get-access-token-using-facebook-oauth

code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. The authorization code is bound to
the client identifier and redirection URI.

authorization codes MUST be short lived and single use

access_token should be posted

Expiration and Extending Tokens

Facebook's official SDKs manage the lifetime of tokens for you. When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire.

很好的facebook api相关的博客： https://www.sammyk.me/

https://github.com/SammyK/LaravelFacebookSdk 这个github的作者

https://developers.facebook.com/docs/reference/login/signed-request

For certain types of apps, a signed request is passed to the app which contains some additional fields of information, even before Permissions have been requested.

The JSON object of the signed request does not have a strict format and varies between the different types of apps that can access it (Canvas, Page Apps, etc.), however you can assume that the payload may contain some of the following fields and values:

Name	Description
code	an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request
algorithm	A JSON string containing the mechanism used to sign the request, normally:HMAC-SHA256.
issued_at	A JSON number containing the Unix timestamp when the request was signed.
user_id	A JSON string containing the User ID of the current user.
user	A JSON object containing the locale string, country string and the ageobject. See the Age Object table for actual min and max values.
oauth_token	A JSON string that can be used when making requests to the Graph API. This is also known as a user access token.
expires	A JSON number containing the Unix timestamp when the oauth_token expires.
app_data	A JSON string containing the content of the app_data query string parameter which may be passed if the app is being loaded within a Page Tab.
page	A JSON object included when a Page tab loads your app. The object contains information about the Page that owns this tab.

Some fields and values, the user_id and oauth_token for example will only be passed if the user haslogged into your app.