Track users who are removing your facebook application

Sometimes we may need to track which users of our facebook application are removing the application from their application setting. In 2008, there is a setting parameter named something like “remove application url” or other, that is now changed by facebook.

Now in the application setting in the advanced tab you’ll see a new parameter named Deauthorize Callback in the authentication area. Facebook shows a comment beside this “Facebook pings this URL when a user deauthorizes your application”

So you’ve to provide a callback url here which are pinged by facebook when someone deauthorized your application. And remember this should be server url not facebook app url. If your server base address is http://yoursite.com/fbapp/removeapp.php then code in removeapp.php so that facebook pinged this url.

Now see the code should be in removeapp.php

1. First update application setting like the following screenshot:

Set Enabled for OAuth 2.0 for Canvas (beta) and also provide deauthorize callback url correctly.

2. Now write codes in removeapp.php

//removeapp.php

//here you'll get the user id who is removing or deauthorize your application
$config['secret_key'] = "XXXXXXXX" ; //this is your application's secret key
$data         =   parse_signed_request($_REQUEST['signed_request'], $config['secret_key']);
$fbUserId   =   $data['user_id'];

/*$fbUserId this is the Facebook User UID who is removed your application. So you can use this id to update your database or do other tasks if required for your application
*/

/* These methods are provided by facebook

http://developers.facebook.com/docs/authentication/canvas

*/
function parse_signed_request($signed_request, $secret) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
    error_log('Unknown algorithm. Expected HMAC-SHA256');
    return null;
  }

  // check sig
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}

Facebook writes about deauthorize URL:

Deauthorize Callback

When a user of your application removes it (clicking the X on Application Settings or blocks the application) your app can be notified by specifying a Deauthorize Callback URL on the Edit Settings page of your application. During the application removal, Facebook will visit your URL with an HTTP POST request containing a single query parameter, signed_request, with a payload of the user_id of whichever user just removed your application. You will not get an oauth_token and every other token that you have will be invalidated since the user has de-authorized your application.

See the Canvas Authorization documentation for information on how to parse this parameter and extract the user_id.

AND

When you are writing a Facebook canvas application, you often need information from Facebook such as which user is logged in to your application or whose profile the user viewing. Facebook sends you this information contained in the signed_request parameter as follows. More at here

Facebook is actually updated application authentication system to oAuth 2.0. Currently its in beta stage. In this new system, facebook pass a signed_request so that your application receive and verify the original data from facebook. But to retrieve user id from this signed_request parameter you’ve to parse them and the functions I mentioned above are taken from facebook documentation to parse this signed_request.

For more information please read the following:

1. http://developers.facebook.com/docs/authentication/
2. http://developers.facebook.com/docs/authentication/canvas