This error arises when the Facebook SDK detects a potential security risk during the login process. The state parameter acts as a crucial security measure to prevent Cross-Site Request Forgery (CSRF) attacks. It ensures that the request to obtain a Facebook access token originates from your legitimate application and not a malicious source.

class FacebookAuthController extends Controller { protected $helpers = ['url', 'session']; // Load the URL and session helper

private $fb; // Declare Facebook object as a private property public function __construct() {     include_once APPPATH . "Libraries/vendor/autoload.php";     // Initialize Facebook SDK in the constructor     $this->fb = new Facebook([         'app_id' => '=',         'app_secret' => '',         'default_graph_version' => 'v11.0',     ]); } public function login() {     // Use the previously initialized Facebook object from the property     $fb = $this->fb;     // Redirect to Facebook's OAuth consent screen     $helper = $fb->getRedirectLoginHelper();     $redirectURL = base_url('auth/facebook/callback');     // Generate a CSRF token and save it in session     $csrfToken = bin2hex(random_bytes(32)); // Generate a random token     session()->set('csrf_token', $csrfToken);     $permissions = ['email']; // Specify the permissions you need     $loginURL = $helper->getLoginUrl($redirectURL, $permissions);     // Append the CSRF token to the login URL as state parameter     $loginURL .= '&state=' . $csrfToken;     return redirect()->to($loginURL); } public function callback() {     // Use the previously initialized Facebook object from the property     $fb = $this->fb;     try {         $accessToken = $fb->getRedirectLoginHelper()->getAccessToken();         if (!$accessToken) {             throw new Exception('No access token received');         }         // Validate CSRF token         $state = $this->request->getGet('state');         $csrfToken = session()->get('csrf_token');         if ($state !== $csrfToken) {             throw new Exception('CSRF token mismatch');         }         // Implement your Facebook API logic using $accessToken and $fb         // ... (e.g., get user data, store access token, create user account)         $userData = $fb->get('/me?fields=id,name,email', $accessToken);         $facebookData = $userData->getData();         // Example usage (replace with your specific logic)         if (isset($facebookData['email'])) {             $email = $facebookData['email'];             // ... (check user existence in your database, create account if needed) ...         }         // ... (Handle successful login) ...     } catch (\Facebook\Exceptions\FacebookResponseException $e) {         // Handle Facebook API response error         echo 'Facebook API Error: ' . $e->getMessage();     } } 

}`

Facebook SDK returned an error: Cross-site request forgery validation failed. Required param "state" missing.

I have a Facebook Login for Business button setup and when I have users of other businesses test it out, it does not grant them permissions that have been defined in the associated configuration id. Instead of granting the users all 5 permissions stated within the configuration it instead only grants them 'public_profile' and 'business_management'.

During developer testing a developer had access to the main Business as well as a client Business to verify that the process worked. When this user login's in and authorises, they are granted all 5 permissions. I have scoured the documentation and am unsure if I'm missing a step or some code.

I am unable to ask Facebook for help as they no longer accept GraphApi problems via their helpdesk. You can only post it on their public error forum in hopes that somebody else can chime in.

If it helps, the login button setup I am using is as follows:

<div     id="facebook-login-button"     className="fb-login-button"     data-width=""     data-size="medium"     data-button-type=""     data-layout=""     data-auto-logout-link="false"     data-use-continue-as="false"     data-config_id={facebookConfigurationId}     data-onlogin="onFacebookLogin" ></div>