This package provides Facebook OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
This package is compliant with PSR-1, PSR-2, PSR-4, and PSR-7. If you notice compliance oversights, please send a patch via pull request.
The following versions of PHP are supported.
- PHP 5.6
- PHP 7.0
- PHP 7.1
- PHP 7.2
- PHP 7.3
- PHP 7.4
Add the following to your composer.json
"require": {
"league/oauth2-facebook": "^2.0"
$provider = new \League\OAuth2\Client\Provider\Facebook([
'clientId' => '{facebook-app-id}',
'clientSecret' => '{facebook-app-secret}',
'redirectUri' => '',
'graphApiVersion' => 'v2.10',
if (!isset($_GET['code'])) {
// If we don't have an authorization code then get one
$authUrl = $provider->getAuthorizationUrl([
'scope' => ['email', '...', '...'],
$_SESSION['oauth2state'] = $provider->getState();
echo '<a href="'.$authUrl.'">Log in with Facebook!</a>';
// Check given state against previously stored one to mitigate CSRF attack
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {
echo 'Invalid state.';
// Try to get an access token (using the authorization code grant)
$token = $provider->getAccessToken('authorization_code', [
'code' => $_GET['code']
// Optional: Now you have a token you can look up a users profile data
try {
// We got an access token, let's now get the user's details
$user = $provider->getResourceOwner($token);
// Use these details to create a new profile
printf('Hello %s!', $user->getFirstName());
echo '<pre>';
# object(League\OAuth2\Client\Provider\FacebookUser)#10 (1) { ...
echo '</pre>';
} catch (\Exception $e) {
// Failed to get user details
exit('Oh dear...');
echo '<pre>';
// Use this to interact with an API on the users behalf
# string(217) "CAADAppfn3msBAI7tZBLWg...
// The time (in epoch time) when an access token will expire
# int(1436825866)
echo '</pre>';
When using the getResourceOwner()
method to obtain the user node, it will be returned as a FacebookUser
$user = $provider->getResourceOwner($token);
$id = $user->getId();
# string(1) "4"
$name = $user->getName();
# string(15) "Mark Zuckerberg"
$firstName = $user->getFirstName();
# string(4) "Mark"
$lastName = $user->getLastName();
# string(10) "Zuckerberg"
# Requires the "email" permission
$email = $user->getEmail();
# string(15) ""
# Requires the "user_hometown" permission
$hometown = $user->getHometown();
# array(10) { ["id"]=> string(10) "12345567890" ...
# Requires the "user_about_me" permission
$bio = $user->getBio();
# string(426) "All about me...
$pictureUrl = $user->getPictureUrl();
# string(224) " ...
$isDefaultPicture = $user->isDefaultPicture();
# boolean false
$coverPhotoUrl = $user->getCoverPhotoUrl();
# string(111) " ...
$gender = $user->getGender();
# string(4) "male"
$locale = $user->getLocale();
# string(5) "en_US"
$timezone = $user->getTimezone();
# int -5
$link = $user->getLink();
# string(62) ""
$maxAge = $user->getMaxAge();
# int 17 | null
$minAge = $user->getMinAge();
# int 21
You can also get all the data from the User node as a plain-old PHP array with toArray()
$userData = $user->toArray();
The graphApiVersion
option is required. If it is not set, an \InvalidArgumentException
will be thrown.
$provider = new League\OAuth2\Client\Provider\Facebook([
/* . . . */
'graphApiVersion' => 'v2.10',
Each version of the Graph API has breaking changes from one version to the next. This package no longer supports a fallback to a default Graph version since your app might break when the fallback Graph version is updated.
See the Graph API version schedule for more info.
Facebook has a beta tier that contains the latest deployments before they are rolled out to production. To enable the beta tier, set the enableBetaTier
option to true
$provider = new League\OAuth2\Client\Provider\Facebook([
/* . . . */
'enableBetaTier' => true,
Facebook does not support refreshing tokens. In order to get a new "refreshed" token, you must send the user through the login-with-Facebook process again.
From the Facebook documentation:
Once [the access tokens] expire, your app must send the user through the login flow again to generate a new short-lived token.
The following code will throw a League\OAuth2\Client\Provider\Exception\FacebookProviderException
$grant = new \League\OAuth2\Client\Grant\RefreshToken();
$token = $provider->getAccessToken($grant, ['refresh_token' => $refreshToken]);
Facebook will allow you to extend the lifetime of an access token by exchanging a short-lives access token with a long-lived access token.
Once you obtain a short-lived (default) access token, you can exchange it for a long-lived one.
try {
$token = $provider->getLongLivedAccessToken('short-lived-access-token');
} catch (Exception $e) {
echo 'Failed to exchange the token: '.$e->getMessage();
# string(217) "CAADAppfn3msBAI7tZBLWg...
Once you've obtained a user access token you can make additional requests to the Graph API using your favorite HTTP client to send the requests. For this example, we'll just use PHP's built-in file_get_contents()
as our HTTP client to grab 5 events from the the authenticated user.
// Get 5 events from authenticated user
// Requires the `user_events` permission
$baseUrl = '';
$params = http_build_query([
'fields' => 'id,name,start_time',
'limit' => '5',
'access_token' => $token->getToken(),
'appsecret_proof' => hash_hmac('sha256', $token->getToken(), '{facebook-app-secret}'),
$response = file_get_contents($baseUrl.'/me/events?'.$params);
// Raw JSON response from the Graph API
# string(1190) "{"data":[{"id":"123","name":"Derby City Swing 2016","start_time":"2016-01-28T17:00:00-0500"} ...
// Response as a plain-old PHP array
$data = json_decode($response, true);
# array(2) { ["data"]=> array(5) { ...
See more about:
If you need to make even more complex queries to the Graph API to get lots of data back with just one request, check out the Facebook Query Builder.
$ ./vendor/bin/phpunit
Please see CONTRIBUTING for details.
The MIT License (MIT). Please see License File for more information.