Beware! Pure server side authentication/authorization for Facebook canvas apps simply does not work
If you want to develop a Facebook application that runs within the Facebook frame you want to write a canvas app. The first thing you will want to do is to allow your user to authenticate and authorize your app.
Only that a pure server side solution simply doesn’t work..
I should probably point out that what I describe is true at the moment of writing but can change quickly. Over the past two months the most important thing I learned about Facebook is that it changes frequently.
Move fast. Break things.
That’s the Facebook motto and they mean it.
However currently server side authentication is broken. Not really technically broken but conceptually.
Technically everything works as expected. But when the user is new to your application and you want to redirect him to the authentication dialog the user will be presented with the following image.
Clicking on the image will then forward the user to the authentication / authorization process. With this extra step you will definitely loose some potential users, especially as the image and the text don’t make it clear what happens next.
If the user then decides to click on the image he will be presented with the authorization dialog in which he can allow or deny the permissions your application requested.
When the user authorizes your app the next conceptual error takes place. Instead of redirecting to your application on the Facebook domain your user will be redirected to the application on your domain without the Facebook frame around it. Even if the user now already authorized your app the user experience will suffer deeply.
If you search the internet for this problem you can find loads of other people who have the same problem and even on the recent Facebook Hack Berlin this was already known as a common problem that people raise.
Keep fingers crossed that Facebook will eventually tackle this.