The app secret is a base-16 string, so you need to convert that to a byte array. Take a look at How can I convert a hex string to a byte array? for details on how to do this. The access_token needs to be converted to a byte array using the ASCII encoding. Once you've generated the HMAC then encode this as a base-16 string to use as your appsecret_proof. The following code will convert a byte array to base16.
public static class Base16
{
private static readonly char[] encoding;
static Base16()
{
encoding = new char[16]
{
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
};
}
public static string Encode(byte[] data)
{
char[] text = new char[data.Length * 2];
for (int i = 0, j = 0; i < data.Length; i++)
{
text[j++] = encoding[data[i] >> 4];
text[j++] = encoding[data[i] & 0xf];
}
return new string(text);
}
}
The code to generate the appsecret_proof would then be
private string GenerateAppSecretProof(string accessToken, string appSecret)
{
byte[] key = Base16.Decode(appSecret);
byte[] hash;
using (HMAC hmacAlg = new HMACSHA1(key))
{
hash = hmacAlg.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
}
return Base16.Encode(hash);
}
Facebook seems to accept either a SHA256 HMAC
or SHA1 HMAC
.