I have an oauth flow which allows users to grant the business_management permission to my application.
Our backend runs roughly the following code:
from requests_oauthlib import OAuth2Session
from requests_oauthlib.compliance_fixes import facebook_compliance_fix
facebook = OAuth2Session(
"<app_id>",
redirect_uri="<redirect_uri>",
scope=["business_management"],
)
facebook = facebook_compliance_fix(facebook)
authorization_url = facebook.authorization_url(
"https://www.facebook.com/{version}/dialog/oauth".format(version="v13"),
version="13.0"
)[0]
The authorization_url is returned to the front end and the user is presented with Facebook's Login Dialog. The user can select which businesses they want to allow access to.
Let's assume the possible business options are the point are
Business 1
Business 2
And the user grants my application access to both of them.
Let's say at a later date, the user is added to a new Facebook Business, let's call it "Business 3", if I re-generate a new authorization_url using the code above, Facebook's Login Dialog won't be invoked and the user cannot provide my app access to Business 3.
Is there any way to ensure that the Facebook Dialog is invoked every time, so that the user can select the new "Business 3", without revoking the existing access token?
Revoking an existing token is undesirable in our use case as the application provides the user with functionality for "Business 1" and "Business 2" which will be lost if the access token is revoked.
Related
I'm doing the Slack integration for my website, including allowing users to log in using the "Sign in with Slack" button. Ideally I would expect it only asks users to grant the identity.* permissions once, then next times when they click "Sign in with Slack", the authorization screen should only flashes then redirect to the next step (like with Facebook for example), but it keeps showing the authorization screen and users have to click the "Continue" button to grant the permission again and again. This is inconvenient for our users. Is there any way to make it prompting only once like Facebook? FYI my app is not publicly distributed to App Directory yet, could it be the reason?
No, it has nothing to do with being in the public App directory.
Slack Sign-in does not cache user logins like other OAuth providers doe, so if you want to avoid that users have to sign-in every time you have to cache user permissions in your app. e.g. by using cookies.
Here is how it works in principle:
After a user signed in successfully, store the information about that successful login in the cookie for that client.
When a client opens you web page again, check the cookie of that client for information about a successful login.
When you find the information show the user belonging to that client as logged-in (instead of showing the Slack Sign-in button).
Show an option for logged-in users to log out (optional)
What information you store about the user depends on what you application needs. If you just want proof about a successful login it should be enough to store the team_id and user_id. But you will also receive a new access_token for that user (not the same as the access_token for your app) as result from a successful login. (see below for a full example of what you receive from Slack)
Please keep in mind that cookies are stored locally on the client and can be viewed the user. So depending on your security needs it would be advisable not store any user related information (especially not the access_token) in the cookie directly. Instead store an ID that links to that data stored on the server by your app. (there are other approaches to this problem. but that is a different discussion)
Here is an example of what your receive from Slack after a successful login:
{
"ok": true,
"access_token": "XXXX",
"scope": "identity.basic",
"user":
{
"id": "U12345678",
"name": "Donald Dummy"
}
"team":
{
"id": "T12345678"
}
}
I try to get ads performance data using this api: https://graph.facebook.com/v2.5/{ad-account-id}/insights. User access token is needed when doing this request. I have several ad accounts. But one user access token is valid just for part of my ads accounts. The error message is "(#10) You do not have sufficient permissions to perform this action". Why? (I can access the dashboard report of all ad accounts.)
Every user access token is related to an app. I have two user access tokens which are generated with different apps. If I change to another access tokens, the ad accounts of which I can get performance data by api are different. So I guess this is related to apps by which user access token is generated.
Access tokens are made of up a user + app. Make sure both the user, and the app have access entity you're trying to access (in this case, ad account).
Also, when generating the token make scope includes the permission for ads_read
In Facebook ad-accounts, one can add other facebook accounts to create/view/manage campaigns. So a account "A" can have multiple ad-accounts under him. Though he is not admin of these accounts. The only extra privilege that admin of any ad-account has is I guess just to be able to view and edit Credit Card info.
Now the adaccount "A" has authorized my app with ads_management, ads_read permission. But using A's access_token I am not able to fetch campaigns of ad-accounts which are managed by A since A is not admin of these account. Which I think is wrong, since A is able to manage ads through Dashboard, using A's token I should be able to fetch campaigns through API as well.
I get following error:
{ "error": {
"message": "(#10) You do not have sufficient permissions to perform this action",
"type": "OAuthException",
"code": 10 } }
Can someone tell me If I am doing something wrong or is there any other way in which I can fetch campaigns of adaccount. I cannot make my user to login with each adaccount into my app. The user would login only with the one account he uses to manage all his other brand accounts.
Given the generic nature of the permissions error, this is not the one answer for everyone, but after wasting a significant amount of time on this, it turned out the problem (for me) was this:
I had been added correctly as an Ad Account Advertiser
I had not been added to the relevant Account Groups
When the second point was addressed, I no longer encountered the OAuthException: (#10) You do not have sufficient permissions to perform this action error. For reference, the Account Groups section is currently accessible via "Settings" in the Ad Manager left sidebar and is located under the "Ad Account Roles" section of the Settings page.
Facebook permissions revolve around users, not accounts. A user is given access to manage a set of adaccounts.
The adaccounts they are able to manage can be found by making a request to me/adaccounts on the graph. If you do not see the adaccount within this set, then the user does not have access.
Additionally, users have roles. The roles are as follows and can be read from the users connection on adaccount:
Level 1001, administrator access
Level 1002, general-user access
Level 1003, reports-only access
If the user has the role reports-only access the will not be able to read everything about an ad account.
Just ran into this issue myself.
The issue was that we couldn't add users as "Ad Account Admins" from the standard ad account interface.
Once we "claimed" the ad account using from the new business.facebook.com site the option to add a user as an Admin was available.
The option is under "Settings > Ad Accounts" at https://business.facebook.com
My account is admin of Ad Account but it cannot execute API: GetAdsUser() and GetCampaigns().
AdAccount adAccount = new AdAccount("act_{add-account-id}");
var adUsers = adAccount.GetAdUsers();
var campains = adAccount.GetCampaigns();
It throw an exception:(#10) You do not have sufficient permissions to perform this action.
What's happen with my account or my facebook application?
Within my facebook account, I see on my "App Settings" page here: https://www.facebook.com/settings?tab=applications that I have several "apps you use" such as: tripadvisor and 8tracks
How do I get my facebook "user access token" for each of those apps?
I don't own those apps, but surely I can retrieve my own personal "User access token" for each of the apps within my facebook account, right?
No - you can not do this. The access token is the association between your user and the application. It "belongs" to you just as much as it belongs to the application.
Think of it this way - if you were to obtain that access token, you would be able to perform actions as if it were the application performing those actions on your behalf. Any action performed using that token would be attributed to the application. You could "spam yourself" and any reports would be directed at the application that created that content.
The tokens are used for security - not only for your security but also of the application.
I have an app, and I can write to user's walls with it, having requested the publish_stream permission when they sign in.
I've also created a page and a group, and would like my app to be able to write to those. (Specifically, I want my back-end server to post some updates to those periodically, without a user being involved.) The ability to do this seems to be implied by the descriptions of the /feed parts of those here https://developers.facebook.com/docs/reference/api/page/ and here https://developers.facebook.com/docs/reference/api/group/ . However, I can't seem to find a way to authorize the app to write to these pages. Those docs say it can be done if you have publish_streams and manage_pages. OK, but how do I grant those to my app?
In the user case, you request those permissions when the user signs in via the OAuth flow. However, the page and the group never sign-in, so there's no way for them to grant the app permission. I looked around the settings pages for the group and the page, and couldn't find anything that will let me add the app. So how do I give the app the required permissions to post to the group and the page?
Found it!
http://developers.facebook.com/docs/reference/api/application/
http://developers.facebook.com/docs/howtos/login/login-as-page/
"Application Page Access Tokens
To perform the following operations as an Application Page, and not the current user, you must use the Application's Page access token, not the user access token commonly used for modifying Graph API objects nor the Application access token. This access token can be retrieved by issuing an HTTP GET to /USER_ID/accounts with the manage_pages permission. This will return a list of Pages (including Application profile pages) to which the user has administrative access, along with an access_token for each Page.
Note: Applications that are configured as Native/Desktop apps will not be able to make API calls that require an application access_token."
So:
I went to http://developers.facebook.com/tools/explorer/ and, as me, created an access token with "manage_pages" permission.
I then went to https://graph.facebook.com/$myname/accounts?access_token=$accesstoken
and it gave me a list pages and apps that I had given permission to. I copied the access_token from the relevant page, and pasted that into my code, so that the server-side create event code always used that access token.
And it worked!