Facebook的使用OAuth 2.0，这是开放授权的现行标准。这是***的简短说明：

Facebook uses OAuth 2.0, which is a current standard for open authorization. This is a short description from wikipedia:

的OAuth提供客户端应用程序安全委派访问来
  代表一个资源所有者的服务器资源。它指定一个过程
  为资源拥有者授权的第三方访问其服务器
  没有资源共享凭据。专为
  与超文本传输​​协议（HTTP）的工作，OAuth的基本上可以让
  访问令牌由授权发放给第三方客户
  服务器与资源所有者，或最终用户的认可。该
  然后，客户端使用访问令牌以访问受保护的资源
  由资源服务器托管。[1]的OAuth是常用的一种方式
  网民登录到使用他们的谷歌的第三方网站，
  Facebook或Twitter的密码，而不用担心他们的访问
  凭据被泄露。

OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. The client then uses the access token to access the protected resources hosted by the resource server.[1] OAuth is commonly used as a way for web surfers to log into third party web sites using their Google, Facebook or Twitter passwords, without worrying about their access credentials being compromised.

您可以阅读更多细节RFC规范： http://tool​​s.ietf.org/html/ rfc6749
您还可以了解不同的集成信息： http://oauth.net/2/

You can read the RFC specification for more details: http://tools.ietf.org/html/rfc6749 You can also read information about the different integrations: http://oauth.net/2/

您不能创建一个假的令牌。用户输入自己的用户名和密码，这意味着窃取他的令牌相当于偷了他的证件，如令牌随机生成后收到令牌。

You cannot create a fake token. The user receives a token after typing his username and passwords, which means stealing his token is equivalent to stealing his credentials, as the token is randomly generated.

我将简要解释了流程：
我是一个用户，使用一般的Facebook和你的应用程序。我登录Facebook和Facebook中或通过外部链接访问你的应用程序并点击它。那么Facebook会问我，如果我想与你分享的应用我的个人信息（这是因为我在登录。如果我不是的话，那就让我为我的用户名和密码）。如果我同意，Facebook将发送一个访问令牌到你的应用程序，有了它你将要访问我的个人信息。因此，该访问将被严格限制，你将无法做任何事情有害的，还有一对夫妇的时间后就会到期，根据实现，而应该是一小时左右。

I will explain the flow shortly: I'm an user, using in general facebook and your application. I log in facebook and reach your application in facebook or via external link and click on it. Then facebook will ask me if I want to share my personal information with your application (this is because I am logged in. If I were not, then it would ask me for my username and password). If I agree, facebook will send an access token to your application and with it you will access of my personal information. Thus this access will be highly restricted and you won't be able to do anything harmful and as well it will expire after a couple of time, depending on the implementation, but should be around one hour.