In an Ionic app, I am using twitter-connect-plugin to enable users to authenticate to the app using their twitter account.
The result returned by this plugin includes the authenticated user twitter account Id, username and his picture.
In addition to these fields I also need to retrieve the email address.
I tried to use twitter API v2, by calling the https://api.twitter.com/2/users/:id endpoint. But from the v2 docs the email address is not included in the user fields.
In the Twitter API v1.1, the https://api.twitter.com/1.1/account/verify_credentials.json endpoint has the include_email parameter, but from the v1.1 docs it requires the user access token:
Please note - Your app will need to regenerate the user access tokens
for previously authenticated users to access their email address
Any idea on how to get the user access token in the v1.1 in order to use it in the GET account/verify_credentials request?
According to the documentation for that plugin, once you've called .login you get back a response.
The login reponse object is defined as:
{
userName: '<Twitter User Name>',
userId: '<Twitter User Id>',
secret: '<Twitter Oauth Secret>',
token: '<Twitter Oauth Token>'
}
You should be able to use the secret and token values from that response object to call the verify_credentials endpoint.
Note that this plugin appears to rely on Twitter Kit, which is no longer supported and may stop working in future.
Related
I'm building an app that allows users to sign up with facebook login. Facebook login gives us an expiring access token.
So far I've thought through having the phone app collect the facebook access token itself and it should POST it to the api. The api can search to see if it's seen this token before and if it hasn't the api should generate a new user account.
However the facebook docs mention that this token expires. If a user's token expires and they provide a new token to my api, the api will generate a new account for the existing user. How should I solve this?
Use the access token to access https://graph.facebook.com/me?fields=id, which will give you the user's unique ID for your application. Use that as the primary key.
You can try this out with the graph explorer tool https://developers.facebook.com/tools/explorer/
You'll get a response like
{
"id": "10123455041265200"
}
Docs https://developers.facebook.com/docs/graph-api/reference/user/
I need to get FaceBook access token using appid and app secret in C# windows application. Actually i did below coding, but getting app token only not getting the access token.
how to achieve to retrieve access token.?
FacebookClient client = new FacebookClient();
dynamic result = client.Get("oauth/access_token", new
{
client_id = "1498796747020950",
client_secret = "c50341f5b4e42a595f0791467f439e38",
grant_type = "client_credentials"
});
var accessToken = result.access_token;
The token that you are requesting is an app access token which can not be used with every API call (instead its usage is very limited).
Let me try to elaborate the access tokens and OAuth 2.0 to make the concepts clear.
OAuth 2.0
With the standard OAuth 2.0 implementation, the first step is to invoke the OAuth Dialog of the service provider (facebook)-
\GET http://www.facebook.com/dialog/oauth
Parameters-
client_id (APP ID)
redirect_uri (App's Redirect Url)
scope (permissions - optional)
Returns-
code (appended with the redirect url)
After the user successfully authenticated the app, a code is returned by the service provider(facebook) appended with the redirect_url passed. So you'll be redirected to-
{redirect-url}?code=XXXXXXXXXXXXXXXXX
We use this code then and request for the access_token-
\GET https://graph.facebook.com/oauth/access_token
Parameters-
client_id (APP ID)
client_secret (APP Secret)
code
redirect_uri
If you dont want to build this manual flow, you can use the SDKs that take care of this flow. It will just invoke the outh dialog and if success will give you the access token in response. Facebook provides official SDKs for iOS, Android, Javascript and PHP; also there are other third-party SDKs.
Now this will give us an access token, to be more precise- a user access token. This is only process required to obtain a user access token (i.e. user engagement is required). What you were requesting was an app access token, I'll now elaborate facebook access tokens-
Access Tokens
There are 3 types of access tokens to support different use cases:
User Access Token - The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. I've explained the detailed process of obtaining this token.
App Access Token - App access tokens are used to make requests to Facebook APIs on behalf of an app rather than a user. This can be used to modify the parameters of your app, create and manage test users, or read your application's insights. App access tokens can also be used to publish content to Facebook on behalf of a person who has granted an open graph publishing permission to your application.
Except these there's nothing an app access token can do. And its like a password of your app so it is important that your app secret is never shared with anyone. This can be obtained by the API call that you have mentioned in the question-
GET /oauth/access_token?
client_id={app-id}
&client_secret={app-secret}
&grant_type=client_credentials
or directly from here, or simply use {app-id}|{app-secret}
Page Access Token- Page access tokens are used in Graph API calls to manage Facebook Pages. To generate a page access token, an admin of the page must grant an extended permission called manage_pages. Once this permission has been granted, you can retrieve the page access token using the following Graph API request:
/GET /{page-id}?fields=access_token
Reference
I'm not really sure if this all was significant to you but I hope it helps you clearing some doubts regarding the same.
If the app access token is significant to you, you can use it by any of three methods I've mentioned. If not, user access token is what required to you which cannot be obtained without user interaction.
All I can get is a Anonymous user token through the dev test users area on Facebook. So when I fire a POST to auth with my web application using the said token I get:
"error parsing": "Facebook.FacebookOAuthException: (OAuthException - #100) (#100) Tried accessing unexisting field (friends) on node type (AnonymousUser
Do I have to generate the token in code with the permissions request set, or is there a quicker way?
Have you creeated your test users via the endpoint
POST /{app-id}/accounts/test-users
as described in https://developers.facebook.com/docs/graph-api/reference/app/accounts/test-users#publish
I guess you have to manually "friend" two test users first, as describes here: https://developers.facebook.com/docs/graph-api/reference/test-user/friends I don't think that if you create a new test user, he'll automatically have some friends.
I assume you have registered an app at Facebook and you have your application client_id and client_secret.
Here are the steps to obtain an access token # Facebook and how you can use it:
https://graph.facebook.com/oauth/authorize?redirect_uri={your_redirect_uri}&client_id={your_client_id}
If you are not logged in Facebook, you will be redirected to Login page at FB. Upon successful login, you will be redirected to your redirect_uri(in the first request) and a query param code in the URI
Copy that code(auth_code) - it will be used to obtain an access token.
https://graph.facebook.com/oauth/access_token?redirect_uri={your_redirect_uri}&client_id={your_client_id}&client_secret={your_client_secret}&code={auth_code}
as a response you will receive an access token
Then you can use that access token to obtain your FB profile, for instance:
GET https://graph.facebook.com/me
plus Authorization: Bearer {access_token}
It is suggested that whether your app uses code or token as your response_type you should perform an automated check on the access_token to confirm that the token belongs to the person the app expects it to belong to and that it was your app that generated the token.
You are supposed to do this on
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
where app-token is app_id|app_secret and token-to-inspect is the user's access_token. Also, I think from reading the documentation you can retrieve an app-token by doing a client-credentials call with the app_id and app_secret.
This is fine with an authorization flow implemented server-side, but what if you're using the implicit method and chose response_type as token (and for whatever reason aren't using FB's javascript SDK)? How do you safely get that app-token without leaking your app_secret? How does FB's SDK do it?
You can generate an app_token in your Facebook developer panel here
and then simply save it into a config file server side. From the developer's page:
App tokens do not expire and should be kept secret as they are related to your app secret.
On my page, I use the following flow:
The user authenticates with the Facebook JS SDK, and then sends his
token + uid to the server.
The server validates that the given token
is related to the given person via a call to the "debug_token"
method, that you spoke of.
If the token + uid combination is valid,
it authenticates the user server side.
I hope this helps.
I receive an access token when a client allows my application on his facebook account. Based on that access token and an url I can print all his friends. I have a question: does this access token appears all the time the user logs in his application? i am asking this because the second time the user logs in in my application where i have a web browser the friend list doesn't pop up because the response from the site does not contain an access token anymore. where am i wrong? how can i check after the user accepts my app that he is online or loged in - if i want to prints his friends.
First thing: sounds like you want to add the scope offline_access because what you are trying to do is really leveraging the FB authentication mechanism.
Also: It is probably easiest to use the FB Connect button and the JavaScript Client API, unless you intend on using the graph or REST API from a back-end server.
If you ARE intending to use back-end API integration read this paragraph:
I have found it helps to ensure that you are using a proper authenticate URL (I use www.facebook.com/dialog/oauth but others have worked in the past..). Just don't use an authorize only URL, or users will be forced to grant permissions repeatedly (never really understood that 'feature'). Next redirect the user to the URL with a request token, and keep your request secret on the server side (or well encrypted if on the client side). After login, you receive the callback with an OAuth Verifier. Access verification URL graph.facebook.com/oauth/access_token with the Verifier and you will receive the OAuth Access Token. Save that token, as well as the user id.
As for checking that the current user is logged in, and/or has authorized your app and/or has friends using your app:
Have a look at FB Connect API:
http://developers.facebook.com/docs/guides/web/#login
call FB.init first, and then when you call FB.getLoginStatus, you will get an OAuth Token if the current user is logged in to FB and has previously authorized your app (either via the Connect Button or OAuth flow):
$wnd.FB.getLoginStatus(function(response) {
if (response.session)
var authToken = encodeURIComponent(response.session.access_token);
});
When executed in conjunction with the authenticate flow mentioned, users that have already authorized your application will get the same OAuth Access Token returned from previous calls, that you can use with the JS Client, Graph, or REST APIs.