400 bad request when requesting Facebook access token

Question

I'm getting a 400 bad request error from Facebook when requesting an access token. My return_uri includes a query string parameter which is causing the problem. I've encoded the return_uri but I stil get the error. Can anyone help me with this?

Here is the request I'm sending to Facebook:

"https://graph.facebook.com/oauth/access_token?client_id=IDb&client_secret=SECRET&redirect_uri=http%3a%2f%2fexample.com%2fOAuthHttpHandler.ashx%3fReturnUrl%3d%2fpage.aspx&code=CODE"

I'm getting an "Error validating verification code." error message.

I've done a little more digging and found that the redirect_uri below works fine:

"http://example.com/OAuthHttpHandler.ashx?ReturnUrl=page.aspx"

But if I pass across a return url of "/secure/page.aspx" validation fails. I've tried encoding the forward slashes but no luck.

Answer 1

After hours of searching around I finally found a good solution to the facebook access_token request returning "Bad Request 400". The return_uri param sent to "https://graph.facebook.com/oauth/access_token" must be exactly the same uri as the one sent "to https://graph.facebook.com/oauth/authorize"

Answer 2

What I did was just replace the slashes with dashes when I send 'em to facebook. Then on the callback, replace the dashes with slashes again!

Answer 3

Unfortunately, the Facebook Oauth implementation doesn't handle url parameters in the return_uri querystring well, even when they are correctly encoded. There are several threads in the fb developer forums discussing this issue:

http://forum.developers.facebook.net/viewtopic.php?pid=237845 http://forum.developers.facebook.net/viewtopic.php?pid=239866 http://forum.developers.facebook.net/viewtopic.php?pid=255231

Until its fixed on their end, you'll have to use an alternative method of passing state: session, cookie, or building a simple page-specific identifier into the url.