CODEWITHSUNDEEP
facebookoauthfacebook-oauth
EagleTheDev
EagleTheDev

Reputation: 35

Always get "Error validating verification code." when requesting access_token

Well, I have done all my best to try to solve this problem, but, still, it's too annoying.

I decided to use OAuth with server-side authentication. So, I have followed Facebook documentation, and I have done the following step.

  1. Create a link which redirect people to log in Facebook by https://www.facebook.com/dialog/oauth?client_id={APP_ID}&redirect_uri=http://abc.com/nextStep.php
  2. In nextStep.php, redirect people to https://graph.facebook.com/oauth/access_token?code={CODE GENERATED BY FACEBOOK}&client_id={APP_ID}&redirect_uri=http://abc.com/thirdStep.php&client_secret={APP_SECRET}

The problem exists when proceeding to step 2. The page shows that:

{
   "error": {
      "message": "Error validating verification code.",
      "type": "OAuthException",
      "code": 100
   }
}

I have googled for lots of time. Some people suggests to add a trailing slash in the redirect_uri, but it doesn't work. What should I do? And how can I get the user information after getting the access_token? Thanks for your help.

Upvotes: 0

Views: 1294

Answers (1)

C3roe
C3roe

Reputation: 96339

Two things:

First, I’d say you’re missing the state parameter in your first URL … you have to make up a value that the docs describe as SOME_ARBITRARY_BUT_UNIQUE_STRING – some unique id/hash/whatever, that no one from the outside would be able to guess. (Yes, that parameter is optional – but you should use it anyway, because as the docs say it helps prevent CSRF and is therefore an important security measure. If you don’t know what CSRF means, please look it up.)

And second, in your step two, you should not redirect the user’s client to that address, but make a server side call to that endpoint instead. You are putting your app secret into this URL (that’s not the mistake, you have to) – so it would be easy for the user to get it if you called that URL in his browser …!

I’d suggest you start with https://developers.facebook.com/docs/authentication/server-side/ again, reading it carefully from the top – you can hardly go wrong if you really follow the instructions given there one-by-one …

Upvotes: 2

Related Questions