Facebook App Iframe OAuth Login / Permissions Bug - possible to avoid?

I have the same problem as outlined here Facebook OAuth login for iframe canvas apps displays a logo image and a Go to Facebook.com caption instead of logging in - I've been able to use the workaround provided in the accepted answer to ensure users correctly see the permissions box on first use of the application.

However, my issue is that this form of redirect after the initial "install" of the app is very disruptive for the user - they are visibly taken away from the Facebook site, before being redirected back. It really breaks the user experience. If I use the standard login method provided by the CodeIgniter library I'm using (http://www.haughin.开发者_运维技巧com/code/facebook/) then the login / load of the app is seamless - but I have the aforementioned issue on first use of the application.

Is there a way I can detect whether a user has an app installed, so I can use the main login method for every instance other than the app "install"?

In your iframe canvas app, if a user has already authorized your app, the signed_request will contain a user_id and oauth_token, so there's no need redirect the user to the "authorization" page. Here are a couple of examples of what the signed_request may contain:

User hasn't authorized app:

signed_request = 
                {
                    "algorithm":"HMAC-SHA256",
                    "issued_at":1299083443,
                    "user":{"country":"ca","locale":"en_US","age":{"min":21}
                }

User has already authorized app:

signed_request =   {
                    "algorithm":"HMAC-SHA256",
                    "expires":1299092400,
                    "issued_at":1299085507,
                    "oauth_token":access_token,
                    "user":{"country":"ca","locale":"en_US","age":{"min":21}},
                    "user_id":user_id
                }

If you don't see a user_id and oauth_token, then you can use the JavaScript window.top.location.href technique. If you do see a user_id and oauth_token, then there's no need to ask the user to authenticate your app because s/he already did. So in other words, if a user authorized your app on January 1 and then came back on January 10th, then the signed_request will already contain the user_id and oauth_token on the January 10th visit.

This is the technique that I use. I hope this helps.

UPDATED March 7, 2011 in response to BrynJ's comment below.

To get the signed_request, you have to ensure that "OAuth 2.0 for Canvas" is enabled in your application settings (which can be found in the "Advanced" tab when you're editing your settings here http://www.facebook.com/developers/apps.php). This is enabled by default for all new apps, but if you have an old one, you will need to enable it yourself. Also, note the "POST for Canvas" setting in the same "Advanced" tab. If this is enabled, then the signed_request is passed in the POST body (e.g. signed_request=12345). If it's disabled, then the signed_request is passed in the query string.

Once you have the signed_request, you will need to verify and decode it to get the user_id and oauth_token. Facebook has a really good example here:

http://developers.facebook.com/docs/authentication/signed_request/

BTW, you will want to enable "POST for Canvas", as Facebook will be switching all iframe apps to this on March 12. More info here: http://developers.facebook.com/docs/canvas/post/