When working with the Facebook SDK (more precisely when implementing a Facebook login function within a REST interface), the transmitted token that the client has received from Facebook must first be checked for validity by the server before further operations are performed.
The easiest way to do this is with the undocumented API Call
GET https://graph.facebook.com/me?access_token=TOKEN
where TOKEN is the said access token, which is over 200 characters long. The response is either a successful answer
{
"id": "XXXXXXXXXXXXXXXXX",
"email": "david\u0040vielhuber.de",
"first_name": "David",
"gender": "male",
"last_name": "Vielhuber",
"link": "https://www.facebook.com/app_scoped_user_id/XXXXXXXXXXXXXXXXX/",
"locale": "de_DE",
"name": "David Vielhuber",
"timezone": 2,
"updated_time": "2014-02-09T18:47:26+0000",
"verified": true
}
The ID of the user should be used here for the final check.
Otherwise you get the inconspicuous message that it is not a valid token:
{
"error": {
"message": "Invalid OAuth access token.",
"type": "OAuthException",
"code": 190
}
}