How to set up Facebook Deauthorization Callback with Yii

Goal: Create a facebook app Deauthorization callback with the Yii Framework and Facebook PHP SDK

Prerequisites: A Good Understanding of the Yii Framework is Helpful, A good understanding of the Facebook PHP SDK

One of the most important things when setting up a web application with Facebook is setting up a deauthorization callback so that when someone remove's your application via the Facebook Application interface you can deal with that appropriately for your application. This is extremely useful for marking a user inactive when they remove your application from their facebook profile.

In this example I will be demonstating how to set up a callback URL on This example is written using Yii 1.1 which can be downloaded at from github. I have also added and configured the Yii Facebook PHP SDK to my environment to make use of the Facebook PHP SDK, downloadable from

Firstly we need to create a base64_url_decode function to decode the data. To do this I've added the following function to my FacebookController.php file. This could just as easily be added to a helper file if you plan to utilize this for other things.

private static function base64_url_decode($input) {
    return base64_decode(strtr($input, '-_', '+/'));

Next we'll create a static function in the FacebookController.php file (also could be moved into a helper class), that does all of the request processing sent by Facebook. This will return false if there is an error parsing the data and log the error to the yii application log.

private static function parseSignedRequest() {
    if (isset($_REQUEST['signed_request'])) {
        $signed_request = $_REQUEST['signed_request'];
        list($encoded_sig, $payload) = explode('.', $signed_request, 2);

        // decode the data
        $sig = self::base64_url_decode($encoded_sig);
        $data = json_decode(self::base64_url_decode($payload), true);

        if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
            Yii::log('Unknown algorithm. Expected HMAC-SHA256', 'error');
            return false;

        // Adding the verification of the signed_request below
        $expected_sig = hash_hmac('sha256', $payload, Yii::app()->facebook->secret, $raw = true);
        if ($sig !== $expected_sig) {
            Yii::log('Bad Signed JSON signature!', 'error');
            return false;

        return $data;
    } else {
        return false;

Finally, we add our deauthorization code. in my example I simply use my users model to get the application user ID and then run my deauthorize command. Note that the parseSignedRequest() returns an array of information about the deauthorization from php.

public function actionDeauthorize(){
    $data = self::parseSignedRequest();
    if($data === false){
        //there was an error
        throw new CHttpException('500', 'There was a problem with the request format.');
        //build your deauthroization stuff here
        $userID = Users::getIdByFbUserID($data['user_id']);

And that's it. Just make sure that you set up your URL callback in your facebook app like below:

Loading Conversation