Authentication and Authorization for Facebook for Mobile Applications

From Facebook Developer Wiki

Jump to: navigation, search

Authenticating and authorizing users of Mobile Facebook applications involves these tasks:

  • You need to direct the user to authorize your application.
  • You can use the auth_token that gets returned to generate a user session. Having a valid user session lets you get more information from a user through the API; if you need more information that the API can offer, you can prompt the user for extended permissions.

Logging In and Getting a Session

When a user visits your site, you need to direct the user to authorize your application.

Direct the user to m.facebook.com/tos.php, and include the following URL parameters:

  • api_key: The API key you received from Facebook earlier.
  • v: Set to 1.0 so you can correctly call the Platform API.
  • next: The URL to redirect a user who successfully logging in to Facebook. This URL either can be a subdomain of your Connect URL (which you specify in your application settings) or it can be anywhere on the facebook.com domain, like www.facebook.com/connect/login_success.html
  • cancel: The URL to redirect a user who cancels the login.

For example:

http://m.facebook.com/tos.php?api_key=YOUR_API_KEY&v=1.0&next=URL_AFTER_LOGIN&cancel=URL_IF_CANCEL


If the user is not logged in to Facebook, Facebook redirects the user to m.facebook.com/login.php, where we will prompt the user to log in to Facebook, then authorize your application.

After the user logs in and connects to your application, we return your callback URL with two parameters:

  • auth_token: Mobile applications need to use the auth token to generate a valid user session by calling auth.getSession. Having a valid session lets you to call the Platform API.
  • installed: This is set to 1, to indicate the user authorized your application.

For example:

http://itsti.me/?auth_token=AUTH_TOKEN&installed=1

Prompting for Permissions

Prompting for extended permissions from a mobile application follows the desktop application model. You direct your users to this URL:

http://www.facebook.com/connect/prompt_permissions.php

You need to include the following URL parameters:

  • api_key: The API key you received from Facebook earlier.
  • ext_perm: A comma-separated string of the extended permissions you want the user to grant.
  • next: The next URL to request after the user logs in to your application. This URL either can be a subdomain of your Connect URL (which you specify in your application settings) or it can be anywhere on the facebook.com domain, like www.facebook.com/connect/login_success.html.
  • cancel: The URL to redirect a user who cancels the dialog.
  • display: Set this to wap.

For example:

http://www.facebook.com/connect/prompt_permissions.php?api_key=YOUR_API_KEY&ext_perm=PERMISSION,PERMISSION&next=URL_AFTER_APPROVAL&cancel=URL_IF_CANCEL&display=wap

See Also

Retrieved from "http://wiki.developers.facebook.com/index.php/Authentication_and_Authorization_for_Facebook_for_Mobile_Applications"
reference