too short FB accessToken in Kinvey _socialIdentity using kinvey-nativescript-sdk - facebook

I have working log-in process with Facebook using Kinvey MIC in my NativeScript app. I am able to log-in into the Kinvey and _socialIdentity record is successfully created. Due to the fact that I need to know also user's email registered with FB account (that is not sent in basic User response from FB), I need to query FB Graph API for that.
https://graph.facebook.com/v3.2/me?fields=id,name,email&access_token= + accessToken
If I use a accessToken stored in Kinvey's _socialIdentity, FB returns:
"error": {
JS: "message": "Invalid OAuth access token.",
JS: "type": "OAuthException",
JS: "code": 190,
JS: }
If I use accessToken generated by FB developers tool and hardcode it into my NS code, everything works well - I receive all requested info.
The difference I found is length of the accessToken:
accessToken stored in Kinvey has 40 characters but the one generated by FB tools has 247 characters.
Could somebody explain why FB accessToken in Kinvey's _socialIdentity is short/impossible for further use or how to get a valid accessToken using kinvey-nativescript-sdk?
Also if somebody achieved to get an user's contact email from FB account using kinvey-nativescript-sdk.
Thank you

Can you try adding client_token to the Allowed Attributes section of the Mobile Identity Connect service configuration?
That will create a new attribute on the kinveyAuth object (that is contained in the _socialIdentity attribute of the User entity), which will hold the access token that you are talking about.
Can you try that, and let me know if it works?
Edit: You can also try adding idp_access_token to the Allowed Attributes section. That will directly create an attribute to the kinveyAuth entity, which will hold only the needed token.

Related

How to display "from" fields in comments via Facebook Graph API

I would like to find the id (app-scoped) for someone who has posted a comment on a public page.
For example, I get a list of recent posts/comments on the NY Times page via:
v2.11/nytimes/feed?fields=comments.limit(10){message,created_time,from},name,message,from&limit=2
The data returned looks like this:
"comments": {
"data": [
{
"message": "Wouldn’t know. Not paying $13/mo for this.",
"created_time": "2017-12-10T05:57:18+0000",
"id": "10151412260164999_10151414049324999"
}
],
There is no from field. The same is also true if I attempt to view the comment directly using it's id with
v2.11/10151412260164999_10151414049324999?fields=from,message,created_time
I have tried using the Facebook Graph API Explorer, using both my User Token, as well as an App Token.
Since v2.11 of the Graph API, you need a Page Token to get user data of comments: https://developers.facebook.com/docs/graph-api/changelog/version2.11#gapi-90
User information will not be included in GET responses for any objects owned by (on) a Page unless the request is made with a Page access token. This affects all nodes and edges that return data for objects owned by a Page.
In other words: You can only get user information if you manage the Page.
Edit: Since the latests update in the Graph API, you have to get the App reviewed and you must go through Business Verification or Individual Verification. (thanx #Guiman04)
Please check whether you are using the accessToken for the page you are trying to get data from, i had same issue, and was resolved by using the correct accessToken for the page.

Viewing graph api via url not showing data

So I have been watching some tutorials about the facebook graph API, and one of the things in the video is to simply navigate to http://graph.facebook.com/youtube
and it should display a json response of their facebook likes etc. This is said to work without an access token?
But this doesn't seem to work, i get the following response -
{
"error": {
"message": "An access token is required to request this resource.",
"type": "OAuthException",
"code": 104,
"fbtrace_id": "DoY144sSuti"
}
}
Has something changed that you will need to always need an access token just to see peoples data, eg how many likes a page has?
Has something changed that you will need to always need an access token just to see peoples data, eg how many likes a page has?
Yes. Since API v2.0, all API calls (with the profile picture redirect being the exception) need to use an access token.
Public data about public pages can be accessed using an app access token; if the page is not public it needs a user access token for a user that can see the page, or a page access token. (More about the different types of token here: https://developers.facebook.com/docs/facebook-login/access-tokens)
This is said to work without an access token?
Then that tutorial is simply outdated.
Yes you will need the access token in order to view that Jason data in URL .
try this Instead :
https://graph.facebook.com/page-id/posts?access_token={your-access- token}
You will be able to see the posts now.Hope this would help you .

Posting on user's timeline on the behalf of the user

I created and APP on the Facebook.
Now I am trying to post a comment on the user's timeline using the Graph API but I cannot undestand what I need to do.
I already authorized the Application (I authorized this permissions: 'user_status,publish_stream,user_photos,email').
If I look on my profile -> privacy I can see that the APP can:
This app can: Post on your behalf
This app may post on your behalf, including status updates, photos and more.
Last data access:
Basic InformationToday
See details · Learn more
Posts on your behalf:
Who can see posts this app makes for you on your Facebook timeline?
Public
Notifications:
When to notify you?
The app sends you a notification
So this part seems OK.
On my application I do the following to try to post somenthing on my timeline (I need to post it when I am off line).
1) GET : https://graph.facebook.com/oauth/access_token?client_id=APPID&client_secret=*APP_SECRET*&grant_type=client_credentials
RESPONSE:
access_token = 422828347771671|UdQELQIf0N7krF4JUo7VwtPLTkk
2) GET: https://graph.facebook.com/search?q=myemail&type=user
RESPONSE:
_"error":_{
______"message":_"A_user_access_token_is_required_to_request_this_resource_",
______"type":_"OAuthException",
______"code":_102
___}
But reading the documentation (https://developers.facebook.com/docs/reference/api/#searching) it seems that this request does not need any kind of access token.
I also tried to add the access token, but the result is still the same.
3) I know my facebookid so I tried to use it directly:
POST: https://graph.facebook.com/100001139132403/feed
ARGUMENT:
access_token=422828347771671|UdQELQIf0N7krF4JUo7VwtPLTkk,
message=Hello
RESPONSE:
"error": {
"message": "(#200) This API call requires a valid app_id.",
"type": "OAuthException",
"code": 200
}
}
So I tried to add client_id=APPID and app_id=APPID, I tried to put one, the other and also both arguments as GET or POST but nothing changed.
I checked the APPId ad it is correct.
Do someone have any idea?
Thank you!
You cant simply generate a user access_token by querying to a URL. What you did gives the App access token and as the error say, you are trying to do something, that needs user access_token.
Refer and implement this : https://developers.facebook.com/docs/howtos/login/server-side-login/
And use that access_token for the rest of the processes.

Retrieving facebook user wall posts through graph API

I'm currently working on a facebook app which captures wall posts for a specified user, page or group, after a user has authorized the app I quote the access_token that is returned to call the method
https://graph.facebook.com//feed?access_token=
this works fine for pages and groups as we only need a valid token, however for users the results are different depending on the relationship between the user who authorized the app the user whose posts are being captured.
For example if there is no relationship between the two users some posts are not returned even though they are public and displayed when you view the profile of the user, however if they are friends more posts are returned.
Can someone please explain this behaviour? And is it possible to obtain all posts using this method?
Yes, per the permissions listed at https://developers.facebook.com/docs/reference/api/permissions the results of the call are different depending upon the relationship.
However when things are public and you use an access token that doesn't belong to the user, then no results are returned. I cannot remember a time when this wasn't this way. For some odd reason (by design or omission on Facebook's part) using the graph API to get at public posts using a user access token just doesn't want to work.
For example, You can see some public items here
http://www.facebook.com/zuck
http://graph.facebook.com/zuck
However, you cannot seem to get any feed from here without an access token
https://graph.facebook.com/zuck/feed
{
"error": {
"message": "An access token is required to request this resource.",
"type": "OAuthException"
}
}
Let's try adding an user access token that does not belong to zuck or a friend of zuck. https://graph.facebook.com/zuck/feed?access_token={UserAccessToken}
And here's what we get:
{
"data": [
]
}
What about an app access token? Let's try
https://graph.facebook.com/zuck/feed?access_token={AppAccessToken}
{
"error": {
"message": "Invalid OAuth access token signature.",
"type": "OAuthException"
}
}
So as you can see, it's difficult to get things via the graph that are not in alignment with your access token.
I manage to get most of the feeds from user's wall post. Although this is a old post, I hope someone can manage to get what they want from my answer.
Before getting the access token(to get the feeds), you need to add multiple correct Read Permissions "keys".
For example, you will have to add "read_stream", and "user_status" (which I found that these are the most important permission "key" to generate the correct access token, to retrieve one's so-called "public" feeds).
You can add more into generating the access token, in either you want the permission to GET, or POST, or BOTH.
Source is here: https://developers.facebook.com/docs/howtos/ios-6/#nativeauthdialog
One thing that I found is, the way to get the feeds result from user's "Home/About" page and Facebook Page (which is created for people to like (not add friends)) are different. The key is mentioned above, "read_stream", and "user_status". So it's better that you add both of the permissions in order to generate the access token to get everything in feeds.
Graph API doesn't return posts to the App if is not authorized to read user feed, even if posts are public.
Source: https://developers.facebook.com/bugs/290004301178437/
According to the latest api ,
FB.api("/me/feed","get",function(response) {//callback})
should do and also work well .
It is working now but facebook may change it in future.

Get application id from user access token (or verify the source application for a token)

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:
AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD
In short, you cannot infer anything from it.
I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.
Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application - I want to be sure that people are forwarding the token that was issued to them by my application, and not another.
My application flow is:
Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
[device] <-> [facebook]
With that access token, the device will access my application server with the token
[device] <-> [Jonathan's application]
At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)
My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application - I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.
So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)
I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.
(EDIT: Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well :) )
https://graph.facebook.com/app/?access_token=[user_access_token]
This will return the app this token was generated for, you can compare that against your app's id.
The official graph endpoint for inspecting access tokens is:
GET graph.facebook.com/debug_token?
input_token=[user_access_token]&
access_token=[app_token_or_admin_token]
Example response:
{
"data": {
"app_id": 138483919580948,
"application": "Social Cafe",
"expires_at": 1352419328,
"is_valid": true,
"issued_at": 1347235328,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": 1207059
}
}
app_token_or_admin_token can be obtained using the Graph API call:
GET graph.facebook.com/oauth/access_token?
client_id={app-id}
&client_secret={app-secret}
&grant_type=client_credentials
The debug_token endpoint will fail if that user_access_token doesn't belong to the app that generated the app_token_or_admin_token.
Relevant facebook documentation:
Inspecting access tokens:
https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/#checktoken
App Tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
A documented way to ensure this is to use appsecret_proof.
GET graph.facebook.com/v2.5/me?access_token=[TOKEN]&appsecret_proof=[PROOF]
This verifies not only that it is a valid token, but also that the token belongs to the app. It also gets you user data in one go.
You can derive PROOF above in C# using this (from here):
public static string ComputeHmacSha256Hash(string valueToHash, string key)
{
byte[] keyBytes = Encoding.ASCII.GetBytes(key);
byte[] valueBytes = Encoding.ASCII.GetBytes(valueToHash);
byte[] tokenBytes = new HMACSHA256(keyBytes).ComputeHash(valueBytes);
valueBytes = null;
keyBytes = null;
StringBuilder token = new StringBuilder();
foreach (byte b in tokenBytes)
{
token.AppendFormat("{0:x2}", b);
}
tokenBytes = null;
return token.ToString();
}
ComputeHmacSha256Hash(accessToken, appSecret);
Why not to use official way of doing things? Here's the request from FB's own video about security.
Request:
https://graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app_id}|{app_secret}
Response:
"data": { "app_id": {token-app-id}, "user_id": {token-user-id}, ... }
Link to an official video: https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/
I made a screenshot so that time is visible, and you can find more info if you are interested.