facebook-authSome developers encounter road blocks when they attempt to get Facebook working in their apps. Part of the challenge is trying to understand how Facebook authenticates users.

Corona’s facebook.login() API uses Facebook’s SDK to manage logins. All of the setup and execution to manage the oAuth 2.0 connections is handled automatically — you just need to provide some initial permissions and a listener function to handle the results from future Facebook calls. However, to achieve this simple access, there’s a lot of “behind the scenes” setup and several rules that you must understand.

Is the Native Facebook App Installed?

It’s important to understand the difference between when the Facebook app is installed or not installed. If your device has the native Facebook app installed, then the native app will launch to handle the login process. If the device does not have it installed, Facebook will open a web view to handle the login process.

The “web view process” is fairly simple and doesn’t cause too many issues. However, many developers struggle with the login process when the native app is installed.

Why do many developers struggle with the implementation when the native app is installed? Primarily, it’s due to how apps launch each other. In general terms, your app calls facebook.login() then it opens the native Facebook app. This pushes your app into the “background” and Facebook comes to the “foreground” to manage the login. When this occurs, Facebook needs a way to reactivate your app and bring it back to the foreground.

iOS Process

For iOS, URL schemes are used to reactivate your app. Facebook tells iOS to launch an app that is “fbXXXXXXXXXXX” where “XXXXXXXXXX” is your Facebook AppID. To get this ID, configure the necessary aspects of your app in the Facebook Portal.  You must also provide the correct Bundle ID that matches the provisioning profile you are building with.  You cannot use the Wildcard ID here.


The actual AppID might look something like “2834883834838″. To make this work on the Corona side, you must add some code to your build.settings file.

Notice that the Facebook AppID has to be in two locations. The CFBundleURLTypes block is how Facebook calls back to your app. In this field, remember to prefix the numerical value with fb, as in “fb934738748374738″. The other entry, FacebookAppID, is a recent change brought on by a newer SDK and it must be included in your app’s build.settings. With this in place, Facebook should be able to properly relaunch your app.

Android Process

For Android, the same basic behavior happens, except that Android launches apps based on the app’s Package Name. This must be properly configured in the Facebook Portal.

Android has a second requirement: you must provide the proper key hash in the developer portal to make sure the app is really your app. Previously, Facebook would tell you the key hash value it expects by outputting a line in your console log. Without this shortcut, however, you should know how to generate this value for Facebook.

As you may already know, when you deploy your apps to an Android store, you have to “sign” your app with a keystore. This is done by picking the keystore from the Corona SDK build screen — but before the keystore appears there, you must create it. The Android SDK provides you with a “debug” version, but you have to create your own keystore to release/publish the app to a store. You can use either of these for Facebook during testing, but once you release your app, Facebook requires the release keystore, not the debug version.

Instructions for creating the keystore can be found in our Signing and Building — Android Guide. It’s important to know that the keystore created with these instructions will be output to the folder you’re in when you run the command:

When you run this command, you should change the mykeystore.keystore portion to something appropriate for your app. Also, the aliasname should be changed to something less generic. You will be prompted for a password and the result will be a file named “mykeystore.keystore” (or whatever you named it) located in the directory that you’re in. This is important information when generating the keyhash for Facebook.

The instructions on Facebook’s site tell you to execute this command on Mac OS X

…or this command on Windows…

The problem with “blindly” executing these commands is that it makes assumptions that may not be correct for your setup! Let’s look at each of these:

  • -alias androiddebugkey — this assumes you want to use your “debug” keystore. If you want to use your release keystore, you have to change this to the correct alias.
  • -keystore ~/.android/debug.keystore — this should find an android debug.keystore but it won’t be the same debug keystore that Corona uses. On a Mac, the default debug.keystore is located in /Applications/CoronaSDK/Resource Library/Android. In addition, your release keystore may or may not have been stored in the ~/.android folder. Remember that it was created in the folder from which you ran the command. Thus, you should adapt this command line accordingly. It will prompt you for your password, which should be android for the debug keystore. On Windows, that command may work, but it’s unlikely that your release keystore is located in %HOMEPATH.android.

If you’re using the debug,keystore, you need to specify the path to the Corona version.  If you are using a release version, you need to specify the path to your release version or be in the same folder.

Note that you can use Corona to find your keystore and alias. Just open up the Android Build dialog from within the Corona Simulator (File > Build > Android…). Your alias will show in one of the fields and the keystore with a path will show in the other:


If necessary, pull down on that field to see the full path:


Once you have this information, use the system’s “cd” command from the command line to change directory to that folder. From there, execute the keytool command like this, where yourkeyalias and yourkeystore.keystore are the names from the Corona build dialog box.

This will output the keyhash string to the Terminal/console. You can now copy that string and apply it to the proper field in the Facebook Portal.


That concludes this week’s tutorial. Hopefully we have “de-mystified” some of the setup issues that challenge many developers when integrating Facebook into their Corona apps.

View this article: 

Understanding Facebook Authentication