Flash Platform applications on Facebook

Figure 2. A Flash Platform application on Facebook.com

1. The user requests your application while on the Facebook website; the browser makes an HTTP request to the Facebook server.
2. The Facebook server returns an HTML/JS page containing the Facebook website chrome and an iFrame HTML tag.
3. The user's browser makes a request to your server for the page to display inside the iFrame. As before, this is either an HTML page or an application server page but now this page also embeds a SWF file, the Flash Platform application.
4. Your server returns an HTML/JS page to the user's browser, which is displayed in the iFrame. This page must still contain logic checking to see if the user is logged in to Facebook, but now this check can be done in the embedded SWF using the Adobe ActionScript 3 SDK for Facebook Platform. The application contains code to check for the existence of an access token. If there is no access token, you must add code to redirect the user to the Facebook login page as before.
5. The users' browser makes another request to your server, this time for the SWF to embed in the HTML page in the iFrame.
6. Your server returns the SWF file.
7. As the user interacts with the application, it makes asynchronous calls to Facebook using the Adobe ActionScript 3 SDK for Facebook Platform. Every API call must include the access token; this is handled automatically by the SDK.

Due to security restrictions of Flash Player, SWF files can only make data calls to the server from which the SWF file was served (that is, your server) or to servers that have a crossdomain policy file listing the server that the SWF file came from. This means that for your SWF file to make calls directly to the Facebook server, the Facebook server must have a crossdomain policy file giving SWF files from your server access. If you take a look at the Facebook cross-domain policy file, you will see a wildcard entry granting access to SWF files from all servers.

8. Facebook returns JSON data to the application.
9. As the user interacts with the application, it can also make asynchronous calls to your server (to save any data on your server or do any other server-side processing) using typical remote procedure call methods. For Flash Platform applications built with Flex, this includes HTTP, web service, and Flash Remoting requests. The quickest and smallest calls result from using Flash Remoting, which uses the open-source binary protocol Action Message Format (AMF) to exchange data between the server and Flash Player.
10. If the server needs to talk to Facebook for any reason, it does.
11. Your server-side code handles results from Facebook.
12. Your server returns any data to your Flash Platform application in the user's browser.