First, you have to create an web app at https://developers.facebook.com/apps and set canvas URL along with other details as always.

And that is all you need to do. There is no need to call their api for authentication. Instead FB will directly post a signed request to the canvas URL you provided while creating the app as soon as the app is loaded. Then, you can decrypt the signed request using secret key and ‘HMAC-SHA256’  algorithm. You can also use libraries like csharpsdk.org to do the job.

After decryption, you will get user_id, user details (country, age, language), OAuth token and some timestamps. Then you can use user_id for identification and token for further communication.

However, if the user has not authorized the app you will get null for user_id and token. Then, you can ask for authorization by redirecting to the authorization URL (e.g. https://graph.facebook.com/oauth/authorize?client_id={0}&redirect_uri={1}&scope={2}). 

You have to pass redirect_uri so that, FB returns the user to previous location and you can continue from there.

This is a very nice move by Facebook as it reduces dependency on external Facebook libraries vastly.

A small Facebook App that I created using above described technique is available at codeplex at http://jackpot.codeplex.com.

Also, it will be hosted at https://apps.facebook.com/badhshala.

Reference: https://developers.facebook.com/docs/howtos/login/signed-request/