Verify Access Token Facebook? - facebook

I am wondering how to verify the access token that facebook generates on login in my server? Also what information it contains
I followed this page and did this
https://graph.accountkit.com/v2.7/me/?access_token=
but when I put my token in it says it is invalid oauth token
when I use this one I found
https://graph.facebook.com/app?access_token=
it brings back
{
"category": "Lifestyle",
"link": "http://localhost:3333/",
"name": "testapp",
"id": "2"
}
I am not sure if that is valid enough. I was hoping it would bring back user data as well.
Edit
I am using this react plugin to do the facebook login it comes back with
accessToken: ""
email:""
expiresIn:4863
id: "" // think this is userId as it is the same numbr as UserId Field?
signedRequest:""
userID:""

Related

Verify Access Token (Facebook) and fetch user profile details

I have integrated firebase on website and able to get the information.
Now need to validate the accessToken on server which is fetched from web.
1st Step
Generating access_token by using below api
https://graph.facebook.com/oauth/access_token?client_id=1234&client_secret=some_secret&grant_type=client_credentials
which gives below json
{
"access_token": "1234|some_secret_here",
"token_type": "bearer"
}
2nd Step
Now using the access_token fetched from 1st step. Need to fetch user details from facebook and also validate the accessToken fetched from website.
Using below api to do it.
https://graph.facebook.com/debug_token?input_token=accessToken_fetched_web&access_token=1234|some_secret_here
which results in
{
"data": {
"error": {
"code": 190,
"message": "Bad signature"
},
"is_valid": false,
"scopes": []
}
}
Not sure whats the issue. Can someone help me out to validate the accessToken & fetch the user details from Facebook

Non-Google Account Using chrome.identity

I'm trying to make a Gogle Chrome extension that requires user authorization to a SugarCRM 7.5 instance with OAuth 2.0 and I need to store the access token that's retrieved. I may need more clarification on how launchWebAuthFlow works.
Firstly, I can retrieve an access token from SugarCRM by using a POST request (not a GET request) that returns an access and a refresh token.
When I tried using the code below I kept getting the error: "authorization url can not be loaded" and when I checked the background console (I already know that my auth URL is wrong). Any help is appreciated even if you don't know SugarCRM. Just a general answer that can get me started is much appreciated.
manifest.json
{
"name": "Auth Sample",
"version": "1",
"manifest_version": 2,
"minimum_chrome_version": "29",
"key": "<long key>",
"app": {
"background": {
"scripts": ["background.js"]
}
},
"permissions": [
"identity",
"https://<sugar instance>/*"
]
}
Background.js
chrome.identity.launchWebAuthFlow(
{'url': '<url-to-do-auth>', 'interactive': true},
function(redirect_url) { console.log(redirect_url); });
My URL is definitely not gonna work here but it's something like this:
var client_id = '<client id from Oauth 2.0>';
var redirectUri = chrome.identity.getRedirectURL("sugarcrm");
var url = "https://<sugar instance base url>/rest/v10/oauth2/token?client_id=" + client_id + "&callbackURL=" + redirectUri + "&response_type=token"
What's the url-to-do-auth (is this the URL to do a regular login (username and password) to SugarCRM or is it a GET request through the REST API to do login)
I don't have a UI web auth flow for my SugarCRM instance. Is it possible to create one from the application or should that be on the server?
I can only make POST requests to get an access token. Will that still work with launchWebAuthFlow?
Update
I ended up storing the token using the local chrome.storage api and only stored the refresh token which will keep getting a new access token every time the application is run(I think it's more secure than just storing the access token as that will force it to always keep changing without passing other credentials)
After more search on launchWebAuthFlow. I found out that the url launchWebAuthFlow takes as parameter will launch a web page(with interactive parameter set to true) which is hosted on the server, that will let the user login and will return an access token if success. This url is actually an endpoint on the restful server. You need to create this endpoint that will be a get request with some parameters including a callbackURL, client_id and response_type. Then it will respond with another function that will be a post request and will take the username and password. If credentials are correct, it will return the access token as a parameter in the callbackURL(chrome extension specific url that contains the extension ID).
Please feel free to correct me or add something if I'm wrong.

Retrieving pages for a newly created admin user of a page returns empty

My applicaton uses this endpoint to retrieve a list of pages to which a user has access.
For my personal account, which is the admin of a page, it works fine:
https://graph.facebook.com/me/accounts?access_token=[accesstoken_for_my_personal_profile]
Results:
{
"data": [
{
"access_token": "<the access token>",
"category": "Record Label",
"name": "Page Name",
"id": "Page ID",
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
}
]
}
But when we create a totally new facebook profile (regular user, as per my personal one) - and get it verified using mobile phone / SMS based verification, it only ever returns blank here, despite being given page admin access to the same page and having requested an access token exactly the same way:
https://graph.facebook.com/me/accounts?access_token=[accesstoken_for_newly_created_profile]
{
"data": [
]
}
UPDATE
The access token permissions are also different.
So when calling https://graph.facebook.com/me/permissions?access_token=xxx, the bad user only has public_profile and installed as 'granted' - but the good user has all the requested permissions including 'manage_pages'.
The URL used to request the tokens in the first place is here:
https://www.facebook.com/dialog/oauth?client_id=[my_app_id]&redirect_uri=https://www.facebook.com/connect/login_success.html&scope=manage_pages,read_mailbox,read_stream,publish_actions,user_likes&response_type=token
This directs to a login page which logs in as the user for which we want a token.
Courtesy of #CBroe above:
The issue here was that since API v2.0 came in, requesting access tokens for users who do not have a role in the requesting app will not assign certain permissions (in our case 'manage_pages') unless the app has been reviewed.

How to get a Facebook access token that has enough rights to get the posts in which you're tagged in?

The Facebook posts in which you're tagged in - using #Name - appear in your wall feed.
A friend of mine posted a link and tagged me in it:
On the Graph API documentation, when I click on my wall feed link (Ctrl + F: Profile feed), I'm able to see this post:
...
{
"id": "XXX",
"from": {
"name": "XXX",
"id": "XXX"
},
"to": {
"data": [
{
"name": "XXX",
"id": "XXX"
},
{
"name": "Christophe Maillard",
"id": "XXX"
}
]
},
"message": "The startup Guide (cc XXX, Christophe Maillard)",
"link": "http://mashable.com/2012/06/27/startup-guide-1000-users/",
"name": "How to Get to Your First 1,000 Users",
"caption": "mashable.com",
"description": "With the help of some smart marketers and entrepreneurs, we're created a clear outline for attracting your startup's first 1,000 users.",
...
}
...
The URL of this feed is https://graph.facebook.com/me/feed?access_token=XXX.
When copy/pasting the given access token - the one replaced by XXX in the URL above - within the debugger, I get something like this:
As we can see, the access token is generated by the app Test_console which used quite a lot of scopes.
Then, I go to the Graph API Explorer, I generate an access token using the Get Access Token button, and I specify all the scopes the debugger gave me, i.e. the ones the Test_console app used to generate its working access token. Finally, I access the URL me/feed by submitting the GET request. The problem: I can't see the post in question in which I'm tagged in with the explorer.
I also have my own app, and it reacts exactly like the Graph API Explorer: I can't find that post in my wall feed using the Graph API as well.
Obviously, it's possible to get the posts in which you're tagged in using the Graph API, because the Test_console app is able to generate an appropriate access token. But how can I get such an access token for my own app?
You need to grant the appropriate permissions for your app. In the graph api explorer https://developers.facebook.com/tools/explorer?method=GET&path=me switch to your app in the applications field (top right) to see what permissions that currently grants your app (by clicking the "get access token" button again). Then make sure you add in the correct one (i think it's read_stream you're after ) https://developers.facebook.com/docs/authentication/permissions/

How to verify Facebook access token?

There's only thing that server has to do; just check any access token's validity.
Clients send to the server user id and access token obtained by FB.getLoginStatus. As I expected, there would be any URL that checks access token's validity, like http://xxx.facebook.com/access_token?=xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
That returns whether it's available one or not or is there any API (server side) for that?
The officially supported method for this is:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
See the check token docs for more information.
An example response is:
{
"data": {
"app_id": 138483919580948,
"application": "Social Cafe",
"expires_at": 1352419328,
"is_valid": true,
"issued_at": 1347235328,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": 1207059
}
}
You can simply request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid.
Unfortunately this will only tell you if your token is valid, not if it came from your app.
Just wanted to let you know that up until today I was first obtaining an app access token (via GET request to Facebook), and then using the received token as the app-token-or-admin-token in:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
However, I just realized a better way of doing this (with the added benefit of requiring one less GET request):
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app_id}|{app_secret}
As described in Facebook's documentation for Access Tokens here.
Simply request (HTTP GET):
https://graph.facebook.com/USER_ID/access_token=xxxxxxxxxxxxxxxxx
That's it.
The app token can be found from this url.
https://developers.facebook.com/tools/accesstoken
I found this official tool from facebook developer page, this page will you following information related to access token - App ID, Type, App-Scoped,User last installed this app via, Issued, Expires, Data Access Expires, Valid, Origin, Scopes.
Just need access token.
https://developers.facebook.com/tools/debug/accesstoken/
Exchange Access Token for Mobile Number and Country Code (Server Side OR Client Side)
You can get the mobile number with your access_token with this API https://graph.accountkit.com/v1.1/me/?access_token=xxxxxxxxxxxx. Maybe, once you have the mobile number and the id, you can work with it to verify the user with your server & database.
xxxxxxxxxx above is the Access Token
Example Response :
{
"id": "61940819992708",
"phone": {
"number": "+91XX82923912",
"country_prefix": "91",
"national_number": "XX82923912"
}
}
Exchange Auth Code for Access Token (Server Side)
If you have an Auth Code instead, you can first get the Access Token with this API - https://graph.accountkit.com/v1.1/access_token?grant_type=authorization_code&code=xxxxxxxxxx&access_token=AA|yyyyyyyyyy|zzzzzzzzzz
xxxxxxxxxx, yyyyyyyyyy and zzzzzzzzzz above are the Auth Code, App ID and App Secret respectively.
Example Response
{
"id": "619XX819992708",
"access_token": "EMAWdcsi711meGS2qQpNk4XBTwUBIDtqYAKoZBbBZAEZCZAXyWVbqvKUyKgDZBniZBFwKVyoVGHXnquCcikBqc9ROF2qAxLRrqBYAvXknwND3dhHU0iLZCRwBNHNlyQZD",
"token_refresh_interval_sec": XX92000
}
Note - This is preferred on the server-side since the API requires the APP Secret which is not meant to be shared for security reasons.
Good Luck.