The recommended way by fb is to get a token but the simple act of getting this token ties my personal account and an app created with it to my credentials. Is there a way for OSS projects to get a temporary or permanent token for their API login access without this connection back on a specific account?
There are 3 different tokens: App Token, User Token, Page Token. Only the App Token is not bound to a user, but you cannot do much with it.
Quite old, but still: https://www.devils-heaven.com/facebook-access-tokens/
Related
I am trying to use Github Oauth App for authorization purpose. No Authentication, no sign in with github.
I would like a user (having an account on my app) to link their GitHub account to my app's account. I understand the github web flow. Let the user authorize Oauth app for the first time. Get the authorization code. Fetch an access token using the code. And use that token to do git operations on user's behalf.
Now the thing I am unsure about is, what if the user logs out of my app and logs back in again?
Not a good practise to ask them to link accounts for each login.
Should I automatically do the Oauth flow again and generate a new access token for each login? If that is, why does Github Oauth App have an access token that won't expire? And why does Oauth app store multiple tokens for the same user, same scope? Why not remove the previous token and store the new one only? Because of this move by Github, I believe this is not the correct way to go. I don't know.
Or, should I store their initial token in the database, and use the same token forever? Is that a good practise? And if that is, how do I verify the scopes initially defined for that token is still the same? I couldn't understand this bit, reading through the Github documentation.
I hope I was clear enough. I couldn't understand this account linking thing.
My team have developed an App, in which we are using the Facebook Authentication Tokens to retrieve the data from a Facebook and then display it on our App and it is working fine.
The problem which I am facing is that if the Password of Facebook Account is changed then the API Token also become useless, which is an obvious thing.
But is it possible that when a user updates his/her Facebook Account Credentials then the API Token also gets updated? i.e. I don't want to go through the Token Generation Process, every time the password is changed.
No, that is not possible.
When the user changes their password, all their existing tokens get invalidated on purpose.
They will have to go through the login flow again, to create a new token.
I would like to add a new option to my application that allows users to post images to their Facebook albums or on the wall. As of now, the most unclear point is how to organize authorizaton process in the DESKTOP application. Official documentation says that I can use short-lived or long-lived access tokens. There is no any issue with getting short-lived access tokens, but I want my application to ask a user for login/password rarely.
I see 2 possible options.
1) Use short-lived access tokens
When a previous token has expired, I need to ask Facebbok for a new one, but for that I need user's login/password.
Questions:
1.1) Is it a good idea to store and encrypt somewhere on disk user's login/password and to ask Facebook for a new short-lived access token using user's credentials in the background (i.e. user won't see login form - this is hidden) ?
1.2) Is it a good idea to store and encrypt short-lived access token on disk to reuse it if a user just restarted application and token is still valid?
2) Use long-lived access tokens
This would be ideal for me. Even if access token has expired after 60 days, my desktop app will ask for a new one.
Questions:
2.1) Is it possible to get long-lived access token by DESKTOP application directly from Facebook? Is it needed to implement additional Web service for getting such token (I know that just server (not client app) can add app secret to request for long-lived token)?
2.2) Even if I able to get long-lived token from the Facebook directly, is it a good idea to store and encrypt it somewhere on disk for further reusage? How apps usually story it?
I will appreciate any HELP!!!
I use the Facebook PHP SDK to log in users on my website.
I was experimenting with the "long-lived" access token that expires after 2 months instead of 2 hours. Now I can't get rid of it. It is a problem for me, since it gives me access to the graph API even when the user is logged out of Facebook. I use that to determine if a user is logged in on my site, so it becomes impossible to log out.
I have tried changing the app ID and app secret, as well as deleting my facebook and app cookies, using other accounts, but nothing helps.
How can I get the 2 hour access token back, so I can't use the graph API when the user is not logged in?
The server-side authentication flow will always give you a long-lived access token.
If you want a short-lived one, then you have to use the client-side flow (FB.login from the JavaScript SDK).
Currently I have a option in my web page such that, on-clicking a button, Facebook login authentication dialog will be poped up as explained in http://developers.facebook.com/docs/authentication/#server-side-flow. I am using JavaScript SDK (FB.api) for this.
So on users successful authentication and app authorization, I will retrieve an ACCESS TOKEN for that particular user from the response. To avoid token expiration, I am using OFFLINE_ACCESS. Finally the token is saved in my local database and a cron job will use this token periodically to read users Facebook datas.
My problem is, as Facebook is going to deprecate the offline_access, is there any other way to have unique ACCESS TOKEN for a user (with out expiration time), such that the users will approve my app once and the cron job will use their token to read data on regular basis.
From this link: http://developers.facebook.com/roadmap/offline-access-removal I found that we can only extend the token expiration time.
Can anyone please suggest a solution for this?