I was trying to follow the Facebook OAuth documentation. I finally have it figured out. There are three parties and multiple steps involved. I have created a diagram to show the flow (the server-side flow).

This is a condensed version of Facebook's documentation of the steps required.

1. Redirect the user to Facebook's OAuth Dialog /dialog/oauth?app_id.
   1. User authentication - If the user is not logged in, they are prompted to enter their credentials.
   2. App authorization - After the user is successfully authenticated, the OAuth Dialog will prompt the user to authorize the app.
2. After the app is authorized, the OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code.
3. App authentication - In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint /oauth/access_token?app_id&secret&code. If your app is successfully authenticated and the authorization code from the user is valid, the authorization server will return the access token.

If you got a "Error validating verification code" in step 3, note that the redirect_uri should be the same as in step 1. See the issue on StackOverflow.

2011.02.19 [programming] - comments