The SDK can be used to support logging a Facebook user into your site using Facebook Login which is based on OAuth 2.0.
Most all request made to the Graph API require an access token. We can obtain user access tokens with the SDK using the helper classes.
Obtaining an access token from redirect
For most websites, you’ll use the Facebook\Helpers\FacebookRedirectLoginHelper to generate a login URL with the getLoginUrl() method. The link will take the user to an app authorization screen and upon approval, will redirect them back to a URL that you specified. On the redirect callback page we can obtain the user access token as an AccessToken entity.
For this example we’ll assume login.php will present the login link and the user will be redirected to login-callback.php where we will obtain the access token.
# login.php
$fb = new Facebook\Facebook([/* . . . */]);
$helper = $fb->getRedirectLoginHelper();
$permissions = [’email’, ‘user_likes’]; // optional
$loginUrl = $helper->getLoginUrl(‘http://{your-website}/login-callback.php’, $permissions);
echo ‘<a href=”‘ . $loginUrl . ‘”>Log in with Facebook!</a>’;
The FacebookRedirectLoginHelper makes use of sessions to store a CSRF value. You need to make sure you have sessions enabled before invoking the getLoginUrl() method. This is usually done automatically in most web frameworks, but if you’re not using a web framework you can add session_start(); to the top of your login.php & login-callback.php scripts.
# login-callback.php
$fb = new Facebook\Facebook([/* . . . */]);
$helper = $fb->getRedirectLoginHelper();
try {
$accessToken = $helper->getAccessToken();
} catch(Facebook\Exceptions\FacebookResponseException $e) {
// When Graph returns an error
echo ‘Graph returned an error: ‘ . $e->getMessage();
exit;
} catch(Facebook\Exceptions\FacebookSDKException $e) {
// When validation fails or other local issues
echo ‘Facebook SDK returned an error: ‘ . $e->getMessage();
exit;
}
if (isset($accessToken)) {
// Logged in!
$_SESSION[‘facebook_access_token’] = (string) $accessToken;
// Now you can redirect to another page and use the
// access token from $_SESSION[‘facebook_access_token’]
}
Obtaining an access token from a Facebook Canvas context
If your app is on Facebook Canvas, use the getAccessToken() method on Facebook\Helpers\FacebookCanvasHelper to get an AccessToken entity for the user.
The FacebookCanvasHelper will detect a signed request for you and attempt to obtain an access token using the payload data from the signed request. The signed request will only contain the data needed to obtain an access token if the user has already authorized your app sometime in the past. If they have not yet authorized your app the getAccessToken() will return null and you will need to log the user in with either the redirect method or by using the SDK for JavaScript and then use the SDK for PHP to obtain the access token from the cookie the SDK for JavaScript set.
# example-canvas-app.php
$fb = new Facebook\Facebook([/* . . . */]);
$helper = $fb->getCanvasHelper();
try {
$accessToken = $helper->getAccessToken();
} catch(Facebook\Exceptions\FacebookResponseException $e) {
// When Graph returns an error
echo ‘Graph returned an error: ‘ . $e->getMessage();
exit;
} catch(Facebook\Exceptions\FacebookSDKException $e) {
// When validation fails or other local issues
echo ‘Facebook SDK returned an error: ‘ . $e->getMessage();
exit;
}
if (isset($accessToken)) {
// Logged in.
}
If your app exists within the context of a Page tab, you can obtain an access token using the example above since a Page tab is very similar to a Facebook Canvas app. But if you’d like to use a Page-tab-specific helper, you can use the Facebook\Helpers\FacebookPageTabHelper
Obtaining an access token from the SDK for JavaScript
If you’re already using the Facebook SDK for JavaScript to authenticate users, you can obtain the access token with PHP by using the FacebookJavaScriptHelper. The getAccessToken() method will return an AccessToken entity.
# example-obtain-from-js-cookie-app.php
$fb = new Facebook\Facebook([/* . . . */]);
$helper = $fb->getJavaScriptHelper();
try {
$accessToken = $helper->getAccessToken();
} catch(Facebook\Exceptions\FacebookResponseException $e) {
// When Graph returns an error
echo ‘Graph returned an error: ‘ . $e->getMessage();
exit;
} catch(Facebook\Exceptions\FacebookSDKException $e) {
// When validation fails or other local issues
echo ‘Facebook SDK returned an error: ‘ . $e->getMessage();
exit;
}
if (isset($accessToken)) {
// Logged in
}
Make sure you set the {cookie:true} option when you initialize the SDK for JavaScript. This will make the SDK for JavaScript set a cookie on your domain containing information about the user in the form of a signed request.
Extending the access token
When a user first logs into your app, the access token your app receives will be a short-lived access token that lasts about 2 hours. It’s generally a good idea to exchange the short-lived access token for a long-lived access token that lasts about 60 days.
To extend an access token, you can make use of the OAuth2Client.
// OAuth 2.0 client handler
$oAuth2Client = $fb->getOAuth2Client();
// Exchanges a short-lived access token for a long-lived one
$longLivedAccessToken = $oAuth2Client->getLongLivedAccessToken(‘{access-token}’);
