The Facebook Graph and OAuth 2.0

During my recent Facebook app development using Java, I had to have some minor integration with Facebook, and I am here to share what I have learned and the cool parts about Facebook’s “Graph.”

Introduction to Working with Facebook

When writting my application, it happened to be a canvas app, or it was accessed via with a iframe to my acctual app. When I would get a new user I would immediatley get a new cookie that was named fbs_APPID within this cookie, most importantly, there was a access token. Now to know any information about a user, one must have one thing, an OAuth access token.

Getting an OAuth access token

Most times you will have a token in the cookies, however on some random times that I never figured out the pattern to, you just don’t have that information there. And as for most apps, you need to know some information about a user, and possibly even post or something of the like with the users permission. However, for protection, Facebook just doesn’t allow any application developer access to their entire database. So to allow only certain access to certain applications, applications are given OAuth tokens, these tokens are user specificic and generally session specific. With these tokens, you could use the later discussed Facebook Graph to get just about any needed data.
The process of getting an OAuth token if it is not in the “fbs_” cookie can be quite strenuous. First you need to redirect the user to the Graph server with certain application-specific parameters. Next, one of the parameters happened to be a call back url, now that url is called and Facebook gives you a code. Using this code and your application secret you can finally get a new OAuth access token. Basically what all these redirects does is allow Facebook to check that this user is acctually logged in and that this user is allowing the application access to this information.

The Facebook Graph

Why they call it the “Graph” I am not quite sure, however it is quite a handy tool. Just heading over to will provide you some basic information about yourself, provided that you are currently logged into Facebook on that browser. Furthermore looking up more information is easy, all you need to know about something is it’s Facebook ID. Everything on Facebook has an ID, from an event to a group, to a person. With people you can even use words like the ones that are for your profile. You can access some basic information on me by going to
Want other information? It’s easy

  • links to that select person’s profile (replace Me with the FB ID of anything on Facebook)
  • Your news feed
  • Your wall
  • Your movies.

Obviously there are many more than this, and it as simple as fetching these url’s in your application to get all this data. Check out the Graph API for more examples and the nitty-gritty syntax. You can get all sorts of data on any event, photo, anything really.

Where these two technologies meet

Now the reason that we discussed OAuth tokens was that so you had them in your application for when the time came when you needed some data. Not all data requires a token, in fact any data visible by outside (non-friend) users is visible. However when that no longer cuts it, an access token with proper permissions can get you all the data you need. When applying the access token it is as simple as putting it as a GET argument

Note: when using an access token you must use HTTPS or a secure connection.

Another note: Me refers to the user who authorized the access token, not the developer.

And another, major note: all data will be returned in JSON Object forrm, so all you need is a few libraries, or if they are included with your language you’re fine.
For Java I used the libraries are, they worked just fine.

  • Jake

    Oh cool post .. thanks to the info here (along with some other posts) I created my Login with Fb widget for websites - using OAuth 2.0

blog comments powered by Disqus