Facebook has two flows for Authentication, client-side and server-side. When should each one be used?

Facebook docs: https://developers.facebook.com/docs/authentication/

Possibly related: What is the purpose of the implicit grant authorization type in OAuth 2?

Depending on your needs you can use one or the other or both. If you want calls to facebook to be processed before the user sees a certain page then use server side... however if you want to display partial information until the user has authenticated, use javascript authentication.

It boils down to this:

• Javascript authentication can happen with-in a popup window and does not require a page reload you can also just perform a top.location.href redirect.
• PHP authentication involves a redirect to an authentication page.

Also see this thread, in particular this response.

To add to @Lix's answer, I would say:

Client Side Authentication

• When you want some information from Facebook API about the user that is required once, as in you only need to get it once like the user's name and email.
• When you want to temporarily access/manage the user's information/data and don't need to do it often.
• You get a temporary token, which is valid only for a few hours and you need to get a new token to call the Facebook API again after it has expired (which requires the user has to grant permission again).

Server Side Authentication

• You want to manage the user's data (on their behalf) after the user has left your website/app. Example, gathering the user's feed/timeline data on a regular basis.
• When you want to access/manage the user's information/data in a recurring fashion untill the user hasn't revoked access to your client id (represented by a Facebook app).
• You get both a temporary token and a permanent token (which lasts for about 60 days at the time of writing this). You can get a new temporary token by using the permanent token every time you need to call the Facebook API (given the previous temporary token has expired) -- without bothering the user to grant permission again.

So, in short, for short term use, follow client-side authentication flow and for long term use follow server-side authentication (given you have a backend server of your own).