Facebook returning token as hash instead of part of the query string

Question

I am using https://www.facebook.com/v2.10/dialog/oauth endpoint to get access tokens in order to publish on behalf of my users.

I am trying to follow this guide: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/

My request looks like this: https://www.facebook.com/v2.10/dialog/oauth?client_id=...&response_type=code%20token%20granted_scopes&redirect_uri=...

And I am getting the following back: http://localhost:8000/?%2Fcallback&some=query#access_token=...&expires_in=6094

The question is why I am getting the token and expire_in as hash (notice the # above) instead of part of the query string so I can capture it by PHP's $_GET? And how can I fix that?

Answer 1

The question is why I am getting the token and expire_in as hash (notice the # above) instead of part of the query string so I can capture it by PHP's $_GET? And how can I fix that?

The parameter response_type specifies what you get back, see https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login

You can choose whether you want a code returned as GET parameter, a token in the hash - or both, for a client- and server-side app that might need the/a token on both, but would on the server-side rather exchange a code via API, than trust a token send from the client. And you can also ask for the granted scope of permissions the user accepted - for apps that need to know whether certain essential permissions were granted, that can save an extra API request.