Implement Login for Devices
Facebook Login for Devices is for devices that directly make HTTP calls over the internet. The following are the API calls and responses your device can make.
1. Enable Login for Devices
Change Settings > Advanced > OAuth Settings > Login from Devices to 'Yes'.
2. Generate a Code which is required for facebook device identification
When the person clicks Log in with Facebook, you device should make an HTTP POST to:
POST https://graph.facebook.com/oauth/device?
type=device_code
&client_id=<YOUR_APP_ID>
&scope=<COMMA_SEPARATED_PERMISSION_NAMES> // e.g.public_profile,user_likes
The response comes in this form:
{
"code": "92a2b2e351f2b0b3503b2de251132f47",
"user_code": "A1NWZ9",
"verification_uri": "https://www.facebook.com/device",
"expires_in": 420,
"interval": 5
}
This response means:
- Display the string “A1NWZ9” on your device
- Tell the person to go to “facebook.com/device” and enter this code
- The code expires in 420 seconds. You should cancel the login flow after that time if you do not receive an access token
- Your device should poll the Device Login API every 5 seconds to see if the authorization has been successful
3. Display the Code
Your device should display the user_code and tell people to visit the verification_uri such as facebook.com/device on their PC or smartphone. See the Design Guidelines.
4. Poll for Authorization
Your device should poll the Device Login API to see if the person successfully authorized your application. You should do this at the interval in the response to your call in Step 1, which is every 5 seconds. Your device should poll to:
POST https://graph.facebook.com/oauth/device?
type=device_token
&client_id=<YOUR_APP_ID>
&code=<LONG_CODE_FROM_STEP_1> //e.g."92a2b2e351f2b0b3503b2de251132f47"
You will get 200 HTTP code i.e User has successfully authorized the device. The device can now use the access_token value to make authenticated API calls.
5. Confirm Successful Login
Your device should display their name and if available, a profile picture until they click Continue. To get the person's name and profile picture, your device should make a standard Graph API call:
GET https://graph.facebook.com/v2.3/me?
fields=name,picture&
access_token=<USER_ACCESS_TOKEN>
Response:
{
"name": "John Doe",
"picture": {
"data": {
"is_silhouette": false,
"url": "https://fbcdn.akamaihd.net/hmac...ile.jpg"
}
},
"id": "2023462875238472"
}
6. Store Access Tokens
Your device should persist the access token to make other requests to the Graph API.
Device Login access tokens may be valid for up to 60 days but may be invalided in a number of scenarios. For example when a person changes their Facebook password their access token is invalidated.
If the token is invalid, your device should delete the token from its memory. The person using your device needs to perform the Device Login flow again from Step 1 to retrieve a new, valid token.