The solution was to include the JS SDK and then get the access_token with
@oauth = Koala::Facebook::OAuth.new(ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], canvas_path)
@oauth.get_user_info_from_cookies(cookies)
As per https://github.com/arsduo/koala/blob/10595edae78d75f1e34b58cc7da16f0475f65a3e/readme.md
I included Facebook's javascript SDK in a coffeescript file:
# facebook.js.coffee.erb
jQuery ->
$('body').prepend('<div id="fb-root"></div>')
$.ajax
url: "#{window.location.protocol}//connect.facebook.net/en_US/all.js"
dataType: 'script'
cache: true
window.fbAsyncInit = ->
FB.init(appId: '<%= ENV["FACEBOOK_APP_ID"] %>', cookie: true)
$('#fb-login').click (e) ->
e.preventDefault()
FB.login (response) ->
window.location = '/auth/facebook/callback' if response.authResponse
, scope: "email, publish_actions"
$('#sign_out').click (e) ->
FB.getLoginStatus (response) ->
FB.logout() if response.authResponse
true