Difference between callbackUrl and function in passport-facebook

Question

I'm trying to find out how Facebook authentication works when using passport-facebook with node/express.

I'm confused about the callbackURL and the function that follows below.

Can someone explain to me what the difference is between setting a callbackURL (is this where a successful login attempt end up? and the function(accessToken, ...) which also seems to be invoked after logging in.

passport.use(new FacebookStrategy({
    clientID: FACEBOOK_APP_ID,
    clientSecret: FACEBOOK_APP_SECRET,
    callbackURL: "http://localhost:3000/auth/facebook/callback"
  },
  function(accessToken, refreshToken, profile, done) {
    User.findOrCreate({ facebookId: profile.id }, function (err, user) {
      return done(err, user);
    });
  }
));

Answer 1

callbackURL is a URL that facebook's web servers themselves will use at the end of the process. Facebook's servers will send a 301 redirect response causing the user's browser to navigate to this URL. So this is essentially a configuration option you are sending to facebook itself, and passport.js is handling the specifics of when and where to send it. When the whole oauth dance is done, the callback function is a way for passport to give control back to your code and say "hey, look it worked. Here's the goodies on the logged-in user", so you can do your findOrCreate. The details inside that function typically vary per-application whereas the oauth dance is always the same. So that's why passport uses a function callback there. It allows you a hook for application-specific or custom logic.