Due to the high interest in using Spring Social within Facebook Canvas apps, I've just pushed a newer version of the Spring Social Canvas sample that properly uses signed_request to obtain an access token. The example can be found at https://github.com/SpringSource/spri...-social-canvas.
The previous version of the sample was going through a typical OAuth 2 authorization flow using ProviderSignInController. While that works, it's not optimal, nor is it the proper way to handle authorization in Canvas applications.
Per Facebook's Canvas Application documentation (https://developers.facebook.com/docs...book/tutorial/ ), the proper way to obtain an access token is by retrieving it from the signed_request parameter that Facebook sends to your app's Canvas URL. If no access token is in the signed_request parameter, then your app should redirect (at the browser's top-level) to Facebook's authorization dialog to obtain authorization, after which Facebook will redirect back to your application with a new signed_parameter that should include the access token.
This is what the new Spring Social Canvas Sample does. Most of the work is handled in CanvasSignInController, which is roughly analogous to ProviderSignInController only with the proper Canvas authorization flow.
Note that this is just a first cut of the sample and there's a lot of improvements to be made. I wanted to make this available sooner rather than later, even if it is a bit rough around the edges. It is likely to evolve over time. Specifically, CanvasSignInController is subject to be extracted from the example altogether and become a component in Spring Social Facebook's Web module. What you see in that class is already mostly boilerplate, so it makes sense to make it a portion of the framework.