Unable to get access token from Facebook. Got an OAuthException says "Error validating verification code"

I am using java and the purpose of my demo application is simple: Update user status. I followed the Server-side Flow on page http://developers.facebook.com/docs/authentication. I got the auth dialog, facebook lead to the callback url and I got the code in my callback page. Then I failed when I try to generate an access token.

In the guide page, it says the following url could be used to generated an access token:

https://graph.facebook.com/oauth/access_token?
     client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

But what happens in my environment is I got the following error message:

{
   "error": {
      "type": "OAuthException",
      "message": "Error validating verification code."
   }
}

I am quite sure every parameter is correct because if I change the client_id value or client_secret parameter, I will got a different error message. The code parameter is what I got from facebook callback. So this should be correct, right? Really can't figure out what is the problem....

Any idea about this? I get stuck here...


I recently dealt with exactly this problem: everything matched, but it failed with the OAuthException. The thing that made it work was to change the redirect uri (in both requests for the flow) from:

http://foo.example.com

to

http://foo.example.com/

I.e., add the trailing slash. And then it worked. Stupid and silly, but there you go.


I had the same problem and tried the above suggestions. They helped, but in my case the problem was that my redir URL had a query parameter and Facebook wasn't cool with that. So, moral of the story is that the redir url you sent to exchange the token has to be identical the the original redir url and it can't have query parameters.


We had some fun with this as well.

In our case the trailing slash in the URL was already there, so I tried the Token we were using in the FB Debug Tool and it validated, so it looked like FB wasn't even seeing the Token in the request.

After some investigation I found the head-slapper - we doing a GET with HTTP Headers only not with a Querystring, so FB litterally wasn't seeing the Token at all.

The moral seems to be that if you can get the Token to validated in the FB Debug tool, there is likely /something/ amiss in your request -

It might be a missing "/" or some other mismatch with the App's defined URL (Domain mistmatch is a different error). I have not tried defining the App / Web Url for HTTPS and doing the request with HTTP but I suspect it would also hiccup somehow.

Or as in our case, the Request Method might be incorrect - GET with Headers or POSTing both throw the 2500, you have to do GET with a Querystring.

Hope that helps!


I had the same problem. It was a URL difference, but unlike the others that have posted, mine was the difference between HTTP and HTTPS.

We have BigIP handling HTTPS requests and forwarding over to an HTTP Apache server. When BaseFacebook's getCurrentUrl() function was called, it detected HTTP, and not the original HTTPS. I've modified that function like so:

protected function getCurrentUrl() {
    if ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1)) ||
        (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || 
        (isset($_SERVER['HTTP_PSEUDOSSL']) && $_SERVER['HTTP_PSEUDOSSL'] == 'true')) {
      $protocol = 'https://';
    }
    else {
      $protocol = 'http://';
    }
...

This version supports the HTTP_PSEUDOSSL key. I hope this helps someone.