I thought it would be simple to use Graph API to read my own user profile or another signed-in user profile but no luck so far.
I created an Azure app with only the following:
a) Client Secret
b) Delegated API permission of User.Read only
I then used the following simple code to try to read my own profile but it returned (400) Bad Request even though I can see that a token was returned successfully.
I was wondering if I could use the same Azure app to read another user's profile provided that a sign-in prompt could be created to switch account.
Any thoughts?
The me endpoint requires a user context. You're using the client credentials grant type, which is for client apps to use in an app-only context. The app has no awareness of who "me" is, or what "your" profile is because you haven't provided a user.
For the app to read the profiles of other users in the client credentials flow, you need to add one of the MS Graph application-type permissions, and send a request to the https://graph.microsoft.com/v1.0/users enpoint
Get user API endpoint
Related
I want to write a process which downloads data about my ads.
Basically this is the code:
https://github.com/airflow-plugins/facebook_ads_plugin/blob/master/hooks/facebook_ads_hook.py
It construct a URI as:
https://graph.facebook.com/v{api_version}/act_{account_id}/insights?{payload}
Where payload contains the access_token, breakdowns, fields etc..
Now, I passed over the facebook dev guide https://developers.facebook.com/docs/graph-api/using-graph-api/ and it doesn't explain how do I get the account_id and the token.
It always leads to a user account that needs to log-in to facebook and then process the request.
I want to build a process that doesn't involve user action. Just download logs about my ads.
How can I do that? Where can I get the account_id and the token.
In other systems like google and other they create a json file with credentials that is used for the outh. there doesn't seem to be equivalent with facebook.
For this type of use case, I would create a System User that is permissioned on all your ad accounts, following this guide. That will allow you to generate a token that can used without user login. (You can do the same for your personal facebook account, but that requires you to pass app verification. This can be done without that.)
Then to get the account ids of all the accounts the system user is permissioned on, query the "me/adaccounts" endpoint, using the access token generated for the system user. The docs for that are here. You can use that to get a list of all the account ids.
Alternatively, if you only need one account id, you can get that straight from the facebook ads manager.
We have Rest Api created by Laravel 4 Php framework. We are using combination of scope and grant to prevent users accessing some resources. But we are having problem preventing one user accessing another user data.
For Example- in our application a user can log in using email and password and we use password grant type to create access_token.
user can see their access token by using browser debugging tolls. Now, that user can use postman or curl request with that access_token to get other users data. What is the best way to prevent user showing other user data ?
When user login into the system, create access_token with roles and permissions return that access token to the user. When user calls the API with the access_token, then check that users is having the permissions to access the requested data.
If that user not having permissions then return with some error message.
You can create filters for this, In which you can check access_token permissions.
Userful like for Laravel routing- http://laravel.com/docs/4.2/routing
Question: Is it possible for application which associated with business manager to obtain ads_management permissions and make server-to-server calls using appId|appSecret as access token.
If yes then what are the correct steps to obtain those permissions for an app?
If no then is there a way to get access token for the user with such permissions which never expires?
Details: As stated in FB documentation, in order to make server-to-server requests without need to obtain and refresh access tokens we may use pair of app Id and app secret in form of appId|appSecret.
Our application now has the following permissions:
- email
- public_profile
- user_friends
In order to make calls to Ads API our application has to have ads_management permissions. Currently we make calls to Ads API through user-level access token and this is not preferable for us as this token requires refreshes which must be done manually using browser interaction (we can't obtain access token programmatically)
You may be confusing App Access Tokens (which allow you to make calls on behalf of the app itself) with permissions (which an individual user grants you to act on their behalf) - you'll always need a user token to update things belonging to a user.
A user, who's an admin of the ad account you want to manage, needs to grant your app ads_management permission - once they've done that, the OAuth flow gives you an access token to make API calls on their behalf, and that token doesn't expire for up to 60 days (after which point they need to come back to your site/app while logged into Facebook for you to get an updated token)
In the context of Business Manager, that user must be someone that has access via Business Manager to the assets (ad acccounts and pages) you want to update via the API
If your app has Standard access to the Ads API, you can also use 'System Users' to make sessionless API calls to update the assets of the business: https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/v2.2
More info about login here:
https://developers.facebook.com/docs/marketing-api/guides/chapter-1-Setup-and-Authentication
https://developers.facebook.com/docs/facebook-login/access-tokens
I have an app and a user who has added that app and authorized it with permissions: read_stream and user_status. I've got a node js app running that's trying to make an API call (using only the app credentials) to pull the user's posts but I get the following error:
"A user access token is required to request this resource."
How can this be done without having to have the user login every time I want to pull their feed?
It can't; you need a user access token to access that user's data - the error message is fairly clear about this I think.
Check the Authentication documentation - you should be storing the users' access tokens and using those to make API calls on behalf of those users
On my app the user can sign to Facebook and the app then has the user's access token (say it's 'abc'), I want to use this token to create a user on my own server.
Is it safe to send this access token to my server (using SSL), then get the user's username and ID using https://graph.facebook.com/me?access_token=abc on my server and check that the application the token belongs to is mine with https://graph.facebook.com/app?access_token=abc. If it is my application I then store the user in my user's database and/or log them in.
Can this system be fooled? Can you think of a way someone could log in as someone else?
You should check out all of the Authentication documentation and the Oauth spec to see the different auth flows available
Broadly speaking, you can create a user on your server based on the access token, and be reasonably certain that when you get an access token from Facebook for the same user ID that it's the same person.
If you require very high security for the app you can take steps to ensure the user's access token wasn't produced via malware or the Facebook user being tricked, there's an example showing protection against CSRF in the Server Side Authentication documentation, and there's also a reauthentication flow you can use
I assume that you are using facebook sdk for this, if so the facebook sdk takes care of the security for you and you don't have to worry about a thing.Supposing that you are accessing the api without the sdk then there are two things that must be noted:
1) Auth token expires frequently(facebook has taken great pains to ensure that the user is protected)
2)Making a request with just auth token is not enough there are some other parameters that are needed that can't be faked especially if you are doing this server side since an extra layer is added that fb calls server flow authentication
3)On top of that there are a lot of permissions that are in place that the user has to give in order for an application to access some data.The link below provides a nice article on authentication you can take a look
https://developers.facebook.com/docs/authentication/
So long story short it is safe.