I was trying to follow the Facebook OAuth documentation. I finally have it figured out. There are three parties and multiple steps involved. I have created a diagram to show the flow (the server-side flow).
This is a condensed version of Facebook's documentation of the steps required.
- Redirect the user to Facebook's OAuth Dialog /dialog/oauth?app_id.
- User authentication - If the user is not logged in, they are prompted to enter their credentials.
- App authorization - After the user is successfully authenticated, the OAuth Dialog will prompt the user to authorize the app.
- After the app is authorized, the OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code.
- App authentication - In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint /oauth/access_token?app_id&secret&code. If your app is successfully authenticated and the authorization code from the user is valid, the authorization server will return the access token.
If you got a "Error validating verification code" in step 3, note that the redirect_uri should be the same as in step 1. See the issue on StackOverflow.
2011.02.19 comments -