So as I underestand it, the PROFILE-ID and access_token are returned from the oAuth session?
Yes you need to get the access token using OAuth. This is actually a little complex thing to do with Flash, but this looks good: http://blog.yoz.sk/2010/05/facebook-graph-api-and-oauth-2-and-flash/
The profile ID is the page ID where you're posting to, e.g. your name if you're posting to your wall and you have your name as the URL for your page.
If you're posting a hyperlink, may be you'd better use "link" argument instead of "message".