http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-10.5
http://stackoverflow.com/questions/14010876/cant-get-access-token-using-facebook-oauth
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. The authorization code is bound to
the client identifier and redirection URI.
authorization codes MUST be short lived and single use
access_token should be posted
Facebook's official SDKs manage the lifetime of tokens for you. When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire.
很好的facebook api相关的博客: https://www.sammyk.me/
https://github.com/SammyK/LaravelFacebookSdk 这个github的作者
https://developers.facebook.com/docs/reference/login/signed-request
For certain types of apps, a signed request is passed to the app which contains some additional fields of information, even before Permissions have been requested.
The JSON object of the signed request does not have a strict format and varies between the different types of apps that can access it (Canvas, Page Apps, etc.), however you can assume that the payload may contain some of the following fields and values:
Name | Description |
---|---|
|
an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request |
|
A JSON string containing the mechanism used to sign the request, normally: |
|
A JSON number containing the Unix timestamp when the request was signed. |
|
A JSON string containing the User ID of the current user. |
|
A JSON object containing the |
|
A JSON string that can be used when making requests to the Graph API. This is also known as a user access token. |
|
A JSON number containing the Unix timestamp when the |
|
A JSON string containing the content of the |
|
A JSON object included when a Page tab loads your app. The object contains information about the Page that owns this tab. |
Some fields and values, the user_id
and oauth_token
for example will only be passed if the user haslogged into your app.