使用PHP 3.1.1和Javascript SDK进行Facebook Oauth 2.0登录

Question

I am trying to migrate to the new Facebook API for websites, and just can't get it to work smoothly. I would like to use the Javascript and PHP SDKs together, but am having problems. I can authenticate, but the page doesn't refresh automatically.

I have searched throughout SO and the Facebook documentation, but still can't get this to work correctly. I have read through http://developers.facebook.com/blog/post/534/ , dowloaded the latest PHP SDK (3.1.1), and basically copied the example on the aforementioned post from facebook. I have made what I think are the correct settings in my app 'Migration' settings, but this could be where the problem lies. I can't post an image, so here are the setting:

• Remove Deprecated API's: Enabled
• Forces use of login secret: Enabled
• Encrypted Access token: Enabled
• Enhanced Auth Dialog: Enabled
• (Everything else is disabled)

Here is the code:

<?php

require 'php-sdk/src/facebook.php';

$facebook = new Facebook(array(
  'appId'  => 'YOUR_APP_ID',
  'secret' => 'YOUR_APP_SECRET',
));

// See if there is a user from a cookie
$user = $facebook->getUser();

if ($user) {
  try {
  // Proceed knowing you have a logged in user who's authenticated.
  $user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
  echo '<pre>'.htmlspecialchars(print_r($e, true)).'</pre>';
  $user = null;
  }
}

?>
<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
  <body>
    <?php if ($user_profile) { ?>
      Your user profile is 
      <pre>            
         <?php print htmlspecialchars(print_r($user_profile, true)) ?>
      </pre> 
    <?php } else { ?>
      <fb:login-button></fb:login-button>
    <?php } ?>
    <div id="fb-root"></div>
    <script>               
      window.fbAsyncInit = function() {
         FB.init({
           appId: '<?php echo $facebook->getAppID() ?>', 
           cookie: true, 
           xfbml: true,
           oauth: true
         });
        FB.Event.subscribe('auth.login', function(response) {
          window.location.reload();
        });
        FB.Event.subscribe('auth.logout', function(response) {
          window.location.reload();
        });
       };
      (function() {
        var e = document.createElement('script'); e.async = true;
        e.src = document.location.protocol +
          '//connect.facebook.net/en_US/all.js';
          document.getElementById('fb-root').appendChild(e);
      }());
    </script>
  </body>
</html>

Answer 1

I was going to write this as a comment but it got a bit long... :)

A couple of pointers using the PHP SDK:

$facebook->getUser(); 

This will work regardless of authentication. getUser() pulls publicly available data that does not require an access token, HOWEVER if you do have an access token and the user has provided email permissions for example, this method will also contain their email address.

A better test for an authenticated user:

$code = $_REQUEST['code'] ? true : false;
if (!$code) {
    echo ("<script>window.top.location=\"...\"</script>");
}

will check if a user has authorised your app.

$access = $facebook->getAccessToken();

Make sure that you always request the Access Token (priority!) You will only ever recieve a signed request when you have been redirected from a facebook dialogue to your app. (ie) oAUTH dialogue. This method of the SDK will also save your Access Token to a session variable. You can call the getAccessToken() method on any subsequent app page where a PHP session is active EVEN WHEN no signed request has been issued.

Now that you have your valid access token for the logged in user, you can proceed with:

$user = $facebook->api('/me');

or, simpler still:

$user = $facebook->getUser();

I tend to reserve API calls for more complex requests such as posting to a users feed / friends feed.

So to recap:

-> check for $code -> get signed request on first page after oAuth dialogue. -> If browser cookies are disabled (likely in ie) don't forget to pass your session to the next page with the SID constant. If you don't, you will loose your stored access token (not good!).