Can the server get a long-lived access token with the code in `signedRequest`?

Question

Is the code property of authResponse.signedRequest (in the Facebook JavaScript API) useful? I'm generating one like this:

FB.login({ scope: "email" }, function(r) {
    console.log([
        function(d){ return d.split('.')[1]; },
        function(d){ return atob(d.replace('-', '+').replace('_', '/')); },
        JSON.parse,
        function(d){ return d.code; }
    ].reduce(
        function(acc, f) { return f(acc); },
        r.authResponse.signedRequest
    ));
});

The docs say this:

code: an OAuth Code which can be exchanged for a valid user access token via a subsequent server-side request

…but that link redirects to Facebook Login home page. I found the /oauth/access_token endpoint documented here, but it requires a redirect_uri parameter, and there isn't one in this case.

Answer 1

I know it's a bit of a necro-bump, but for anyone else who stumbles upon this...

You can POST the code to:

https://graph.facebook.com/oauth/access_token

In the form body, you want:

client_id: your_app_client_id
client_secret: you_app_client_secret
grant_type: "authorization_code"
redirect_uri: ""
code: code_from_signed_request

The blank redirect_uri is the key. You must supply a blank string ... omitting the field doesn't work.

Since you need to supply your client secret, you don't want to do this client-side. Send the code to some method on your server to do it, and return the access code to your client.