The Facebook API does not allow you to issue Redirect headers for the Authetication page. Heres the Authentication page I use, with the pieces relevant to only my page removed. If you put this code in, it will work, as I use it in production for my facebook application. It also implements CSRF protection.
EDIT: I removed the APP_SECRET, because I doubt you need it.
<?php
$valid = false;
define(APP_ID, "");
define(CHROMED_URL, "");//this is the facebook app url in the form http://apps.facebook.com/[app name]
$desired_perms = "";//place the permisions you want here
$auth_url = "https://www.facebook.com/dialog/oauth?client_id=".APP_ID."&redirect_uri=".urlencode(CHROMED_URL)."&scope=".$desired_perms;
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if ( empty($data["user_id"])) {
//The user is not logged in, or the user has not authorized the app
//We start a session to maintain a marker variable for XSS attack detection
//The auth url will log the user in AND acquire permissions if needed.
$_SESSION['marker'] = md5(uniqid(rand(), TRUE)); //CSRF protection
session_write_close();
echo("<script> top.location.href='".$auth_url."&marker=".$_SESSION['marker']."'</script>");
} else {
if ($_SESSION['marker'] == $_GET['marker']) {
//The user is logged in, has given the app permission, and appears to be operating under the correct session
//marker, which protects against XSS attacks.
//lets verify the datas algorithm as a precaution
if ($data["algorithm"] != "HMAC-SHA256") {
echo("<script> top.location.href='./error.php?id=1'</script>");
exit;
}
$valid = true;
} else {
//This branch means the user is logged in, but that it appears they have been subjected to
//an XSS attack.
echo("<script> top.location.href='./error.php?id=2'</script>");
exit;
}
}
?>
<?php if($valid): ?>
<!-- PUT The HTML to embed your application here -->
<?php endif; ?>
