What to look for in Facebook callback url for user account

Im using Hybridauth so people can signup on my site using either Facebook or Twitter. I think I have most of it down:

  1. They go to my login page and click the Facebook Sign In button
  2. If they havent singed up yet it redirects them to Facebook asking for permission
  3. If they say yes, it will take them back to my callback URL
  4. What do I do here? What do I look for? Do I look for a GET variable like state? If its present then proceed to the next step?
  5. Grab the access token given to me from facebook app
  6. Create a new account in my DB and assign the access token to that account
  7. Log them into the system
  8. If they come back to log in again, they click the FB button to login, it checks to see if there is a access token already with permission, if so, I then search my DB for the account with that accesstoken. If found, I can then log them into the system

I mean thats pretty much it right? So anyone can help me with step 4? What do I look for so my code knows they want to create an account with their facebook accesstoken?

Steps 1 through 3 are correct.

In step 4 you would indeed get some value from the GET parameters called the authorization code. You can then use this authentication code to obtain an access token from facebook, as you’ve described in step 5.

Steps 6 and 7 are correct.

Step 8 is sort of correct, but you cannot use the access token to identify users, as the same user will get a different access token every time, that’s kind of the point of access tokens. So instead you should use some unique user identifier, this should be sent with the access token.

Also see http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/ - there is a nice diagram there of what happens.