I'm doing a facebook app and I've followed the custom login flow instructions and I have a question on the last step:
1) I start by doing a call to /dialog/oauth to get a login code.
2) With the code I will request an access token, by hitting the graph.facebook.com/oauth/access_token and that's fine as well.
3) The instructions now say I should validate the code and token to make sure they are from the sources that requested them.
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
My questions are:
If I just pass the same value(access_token) in both parameters I get a valid anwser but I don't know if this makes sense.
Thanks in advance.
This question has already been asked: how to verify facebook access token?
And: Verify Facebook Access Token for specific App
And: verification code example
It's simply a unit test to see if your code is still valid (to catch a bug early so it can't do any big damage).
If the access token is not valid, you can for example show a message to the user that there is a bug etc.