Facebook authorization problem

Question

I'm working on a facebook app and there's something I'm just not understanding about how their authorization system works.

Our basic setup is this

canvas URL = domain.com/facebook

This is a simple page with an FBML Iframe element that points to domain.com/facebook/app which is an HTML page that serves up a Flash Application.

The Flash Application requests additional data from our application server - some of those requests ask for facebook data (such as a list of friend IDs).

So Flash then makes a request to domain.com/resources/facebook/friends - this is a PHP page which creates a Facebook instance (their PHP library) and performs the necessary call to their API and returns the data.

However, the request to this URL (by flash) doesn't validate, so it is then redirected to their login when then itself redirects back my canvas URL with two parameters - auth_token and next. So the request is valid, but the redirect breaks the flash call.

So, I'm trying to figure out how to make these other API calls (when themselves mace facebook API calls) be facebook-vaildated from the get-go.

Answer 1

Ok, I figured it out.

As it turns out, Flash already follows the redirects - all I needed to do was detect (at the canvas URL) when there was an authorization request (noted by the presence of auth_token and next) and include the auth_token as a GET parameter when I redirected to the next URL (basically, forward the auth_token on to the original request).

So, contrary to what I said above, the redirect did NOT break the flash call - it just didn't have enough data to be a valid request.

Answer 2

Solve by putting the code below instead of the "require_login()" line

if (isset($_GET['auth_token'])) {
 $sess_data=$facebook->api_client->call_method('auth.getSession',array('auth_token'=>$_GET['auth_token']));
 $facebook->set_user($sess_data['uid'],$sess_data['session_key'],$sess_data['expires']);
 $user=$sess_data['uid'];
}
if (!$sess_data) {
 $user=$facebook->require_login();
}