2

I have a simple sign-in button that directs the user to:

https://graph.facebook.com/oauth/authorize?client_id=APP_ID&redirect_uri=CALLBACK_URL&type=web_server&scope=publish_stream,offline_access,email,friends_likes,user_likes.

The callback request handler at CALLBACK_URL grabs the code parameter and passes it to:

https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&code=CODE&redirect_uri=REQUEST_URL

and expects a response containing the access token (note that REQUEST_URL is the URL of the incoming redirect from Facebook). This succeeds 99% of the time, but occasionally I get this:

{"error":{"message":"This authorization code has been used.", "type": "OAuthException","code": 100}}.

I understand that the code can only be used once and has a life-span of 10 minutes, but we are immediately redeeming the code, and our logging indicates we are only sending it for an access token once.

Has anyone else seen this before?

Is it possible Facebook is sending back the wrong error?

AMadmanTriumphs
  • 4,888
  • 3
  • 28
  • 44
Matt Sither
  • 21
  • 2
  • Based on your description, this seems like bug on FB's side. You should double check that you are sending the request only once and then [file a bug report](https://developers.facebook.com/bugs/). – Jan Gerlinger Mar 06 '13 at 19:45
  • I can confirm this, could you file a report and post a link up, I get this on android only – Tarang Mar 25 '13 at 12:24

1 Answers1

0

in protected function parseSignedRequest($signed_request) just before return add these lines

/*
 * This method sets new code, and does not update persistent data,
 * that leads to persistent data loss and duplicate call to oAuth.
 * Duplicate call to oAuth with same auth code leads to error.
 * So persistent data must be changed alongside code changes.
 */
$this->setPersistentData('code', $data['code']);

This is a temporary solution and I'm not a Facebook developer.

AlG
  • 14,697
  • 4
  • 41
  • 54
Ishiki
  • 1