This is clearly stated in the document:
Application deauthorization
When a user of your application removes it in the application panel or blocks the application in News Feed, your application can be notified by specifying the Deauthorize callback URL in the application of the developer. During the removal of the application, we will send an HTTP POST request containing one parameter, signed_request, which contains the user ID (UID) of the user who simply deleted your application. You will not receive the user's access token in this request, and all existing user access tokens will automatically expire.
Thus, using the signed_request function in its own document:
<?php function parse_signed_request($signed_request, $secret) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = base64_url_decode($encoded_sig); $data = json_decode(base64_url_decode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') { error_log('Unknown algorithm. Expected HMAC-SHA256'); return null; } // check sig $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } return $data; } function base64_url_decode($input) { return base64_decode(strtr($input, '-_', '+/')); } $result = parse_signed_request($_REQUEST['signed_request'],"APP_SECRET"); $myFile = "deauthorize.txt"; $fh = fopen($myFile, 'w') or die("can't open file"); fwrite($fh, $result["user_id"] . "\n"); fclose($fh); ?>
So, all you have to do is get the $result["user_id"] request from your database and delete the record.
PS: I would recommend adding a new field called active and just disconnecting the user, rather than deleting the record together.
EDIT:
Facebook does not redirect the user to an authorization URL! he will ping only:
Facebook links to this URL when a user deactivates your application
ifaour
source share