I developed for our middleware a small, simple and new auth strategy to validate facebook-tokens directly.
Request parameter name is access_token and it overrides the _request method of your oauth2 library to remove the type and code parameter. Otherwise facebook response with an error.
Works fine in our project. 😄
Add auth strategy which validates an access_token directly.