Error 100 This authorization code has been used

Question

I have a simple sign-in button that directs the user to:

https://graph.facebook.com/oauth/authorize?client_id=APP_ID&redirect_uri=CALLBACK_URL&type=web_server&scope=publish_stream,offline_access,email,friends_likes,user_likes.

The callback request handler at CALLBACK_URL grabs the code parameter and passes it to:

https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&code=CODE&redirect_uri=REQUEST_URL

and expects a response containing the access token (note that REQUEST_URL is the URL of the incoming redirect from Facebook). This succeeds 99% of the time, but occasionally I get this:

{"error":{"message":"This authorization code has been used.", "type": "OAuthException","code": 100}}.

I understand that the code can only be used once and has a life-span of 10 minutes, but we are immediately redeeming the code, and our logging indicates we are only sending it for an access token once.

Has anyone else seen this before?

Is it possible Facebook is sending back the wrong error?

Answer 1

in protected function parseSignedRequest($signed_request) just before return add these lines

/*
 * This method sets new code, and does not update persistent data,
 * that leads to persistent data loss and duplicate call to oAuth.
 * Duplicate call to oAuth with same auth code leads to error.
 * So persistent data must be changed alongside code changes.
 */
$this->setPersistentData('code', $data['code']);

This is a temporary solution and I'm not a Facebook developer.