diff --git a/tornado/auth.py b/tornado/auth.py
index 05ac3d1e..edc3e5eb 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -996,6 +996,9 @@ class FacebookGraphMixin(OAuth2Mixin):
             callback=functools.partial(
                 self._on_get_user_info, future, session, fields),
             access_token=session["access_token"],
+            appsecret_proof=hmac.new(key=client_secret.encode('utf8'),
+                msg=session["access_token"].encode('utf8'),
+                digestmod=hashlib.sha256).hexdigest(),
             fields=",".join(fields)
         )