According to Facebook - Authentication within a Canvas Page Document, they say that we will be getting a signed_request which consists a JSON object. Now they say that signed_request can be get through $_POST['signed_request'] I agree its working for me.

Now according to them if the user is logged in i will be getting a JSON object value like this:-

{
  "expires":UNIXTIME_WHEN_ACCESS_TOKEN_EXPIRES,
  "algorithm":"HMAC-SHA256",
  "issued_at":UNIXTIME_WHEN_REQUEST_WAS_ISSUED,
  "oauth_token":"USER_ACCESS_TOKEN",
  "user_id":"USER_ID",
  "user":{
    "country":"ISO_COUNTRY_CODE",
    "locale":"ISO_LOCALE_CODE",
    ...
  }
}

Now i want to fetch the user_id out of this so i am using this piece of code but its not working:-

if(isset($_POST['signed_request']))
{
    echo 'YES';
    $json = $_POST['signed_request'];
    $obj = json_decode($json);
    print $obj->{'user_id'};    
}

It just print the YES. Why is it so?

I have read somewhere that without app authentication i will not be able to extract the user_id but according to the facebook, this is the 1st step and authenticating the application would be 4th. I am new to it, if somebody can please help me, it will be of great help. Thanks.

I think it failed at json_decode($json) because $json is not a valid json string, as you've mentioned in comment about print_r($_POST['signed_request']);.

According to Facebook - Authentication within a Canvas Page Document, the signed_request parameter is encoded and, parsing the signed_request string will yield a JSON object.

if you're using the PHP SDK, just as Abhishek said in the comment, $facebook->getSignedRequest(); will give you the decoded json.

look here for more details on the Signed Request

If you don't want to work with the FB SDK you can use this snippet of code to get the user_id and other variables (snippet from https://developers.facebook.com/docs/facebook-login/using-login-with-games/)

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // confirm the signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}

Old post I know but wanted to add a reply to Art Geigel's answer (I can't comment directly on it).

Your code snippet is missing the line,

   $secret = "appsecret"; // Use your app secret here

and the complete snippet,

function parse_signed_request($signed_request) {
   list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

   $secret = "appsecret"; // Use your app secret here

   // decode the data
   $sig = base64_url_decode($encoded_sig);
   $data = json_decode(base64_url_decode($payload), true);

   // confirm the signature
   $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
   if ($sig !== $expected_sig) {
      error_log('Bad Signed JSON signature!');
      return null;
   }

   return $data;
}

function base64_url_decode($input) {
   return base64_decode(strtr($input, '-_', '+/'));
}

To answer the original question

To get data from the signed_request, include the functions above and...

$data = parse_signed_request($_POST['signed_request']);

echo '<pre>';
print_r($data);

I think it failed at json_decode($json) because $json is not a valid json string, as you've mentioned in comment about print_r($_POST['signed_request']);.

According to Facebook - Authentication within a Canvas Page Document, the signed_request parameter is encoded and, parsing the signed_request string will yield a JSON object.

if you're using the PHP SDK, just as Abhishek said in the comment, $facebook->getSignedRequest(); will give you the decoded json.

look here for more details on the Signed Request