Instead of using any Facebook SDK, I'm using HTTP Requests.
Here is the URL I'm using to log the user into my application: (Not Real ID or URL)
The documentation is HERE. Official Facebook Login
After the user signs in with Facebook, my website loads with an access token appended to URL. I request a response_type=token so I get a token, not a code or both a code and a token.
According to the Facebook documentation, Confirming Identity
Because this redirect flow involves browsers being redirected to URLs
in your app from the Login dialog, traffic could directly access this
URL with made-up fragments or parameters. If your app assumed these
were valid parameters, the made-up data would be used by your app for
potentially malicious purposes. As a result, your app should confirm
that the person using the app is the same person that you have
response data for before generating an access token for them.
Confirming identity is accomplished in different ways depending on the
response_type received above:
And because I am receiving a token this quote from Facebook documentation should apply to me:
When token is received, it needs to be verified. You should make an
API call to an inspection endpoint that will indicate who the token
was generated for and by which app. You can do this from the client or
from the server, depending on your use case.
For this particular situation, there is a section titled, Inspecting Access Tokens:
Here is the quote from the Facebook documentation:
Whether or not your app uses code or token as your response_type from
the Login dialog, at this point it will have received an access token.
However, for the same security reasons as above, you should perform an
automated check to confirm that the token belongs the person that your
app is expecting it to belong to, and that it was your app that
generated the token.
We provide the following Graph API endpoint that can be used to inspect access tokens:
So, I have parsed the access token from the end of the URL, and then made another GET Request from the server as configured in the example for the inspection, and I can not get it to work. I have tried using a generated app token and I have tried using my App ID plus my App Secret, and nothing works. I get an error message:
If I use the Facebook Debugger
And paste in the token that was returned from the login, it works fine. I get information back. So the token I'm getting back is valid.
I'm using the exact syntax for inspecting the Access Token, and I've checked every character many times for spelling or syntax errors. There must be something else causing the request to be rejected. For test purposes, I am sending the HTTP GET Request from a different URL, but because tokens are portable, Facebook allows requests from different places, for example, from a server.
Why is my request failing?