I have a Facebook application that is loaded in the Canvas context of Facebook. If I hit the app URL directly (http://apps.facebook.com/myapp/) the signed_request generated by Facebook doesn't contain an access token...
If I hit the app URL from the bookmarks, the access_token is returned successfully.
I'm not sure how to handle this case when the app url is hit directly and theres no access_token in the URL. What am I misunderstanding about this?
If a user is logged into facebook already, why would there not be an access token in the signed request?
If there is no access_token it just means Facebook does not consider the user to be 'logged in to your app'. Normally it means either the user is not logged into facebook, or they have not authorized your app, but it can also happen when they have simply timed out and such.
The proper thing to do is to just send the user to the oauth authentication page (the dialog or the redirect url) as described here
Then facebook will redirect back to you with the access_token for sure. If the user is logged into facebook and has authorized your app before, it will just be a quick redirect without any action needed on their part.