When should the server-side vs. client-side Facebook authentication flows be used?

Question

Facebook has two flows for Authentication, client-side and server-side. When should each one be used?

Facebook docs: https://developers.facebook.com/docs/authentication/

Answer 1

To add to @Lix's answer, I would say:

Client Side Authentication

• When you want some information from Facebook API about the user that is required once, as in you only need to get it once like the user's name and email.
• When you want to temporarily access/manage the user's information/data and don't need to do it often.
• You get a temporary token, which is valid only for a few hours and you need to get a new token to call the Facebook API again after it has expired (which requires the user has to grant permission again).

Server Side Authentication

• You want to manage the user's data (on their behalf) after the user has left your website/app. Example, gathering the user's feed/timeline data on a regular basis.
• When you want to access/manage the user's information/data in a recurring fashion untill the user hasn't revoked access to your client id (represented by a Facebook app).
• You get both a temporary token and a permanent token (which lasts for about 60 days at the time of writing this). You can get a new temporary token by using the permanent token every time you need to call the Facebook API (given the previous temporary token has expired) -- without bothering the user to grant permission again.

So, in short, for short term use, follow client-side authentication flow and for long term use follow server-side authentication (given you have a backend server of your own).