I have a JavaScript script that fetches data of a Facebook Page URL and puts it in a form. It works perfectly as long as I am connected to my Facebook Developer Account, and that I use the corresponding App ID.
My question is: can I make this public? Without need to be connected to my Facebook account? I want users on my website to be able to use this feature but I can't figure this out, and I'm now wondering if it's even possible.
This concerns Pages specifically (not Events).
You either have to make users login to your app (so that you can use their access token to request the data),
or you need to move it to the server side, so that you can use either an app or a page access token (both of those should never be exposed in client-side code.)
Related
I build API for post on my community of VK. But I check my permission for my app, and I have all permissions, but not load WALL permissions.
In the scope for OAuth, I put all scopes and not work the WALL. I check the "Api.console" and they have "Access to Wall - The application has access to your wall", but in my app not appear.
This is the response:
{"error":{"error_code":15,"error_msg":"Access denied: no access to call this method","request_params":[{"key":"oauth","value":"1"},{"key":"method","value":"wall.post"},{"key":"owner_id","value":"-*********"},{"key":"from_group","value":"1"},{"key":"message","value":"New post on group wall via API."}]}}
I check other services and if work.
You can't call wall.post (and a lot of other methods) with a non-standalone applications. It seems like your VK application is of type Website or iFrame - they have limited access to the API methods.
However, while you can't call this method from non-standalone applications, can via the Open API (it's a JavaScript SDK for Website applications) or the JavaScript SDK for iFrame applications.
When you call wall.post via these SDKs, a confirmation window will appear where the user needs to confirm the wall post before sending it:
Standalone applications are designed to be used in apps like mobile or desktop clients or browser extensions (because they don't have CORS limitations and may read any tab). There is absolutely no ways to get a user's standalone access token without limitations if you are trying to authorize them via website.
If you are building website or something and need wall.post for service purposes (e.g. news cross-posting), then you may get your token and save it anywhere in site configuration. Open this address:
https://oauth.vk.com/authorize?client_id={APP_ID}&scope={PERMISSIONS}&v={ACTUAL_API_VERSION}&response_type=token&redirect_uri=https://oauth.vk.com/blank.html
{APP_ID} - your standalone application ID (may be found in application Settings).
{PERMISSIONS} - comma-separated list of permissions. Don't forget the offline permission to get token that doesn't expire.
{ACTUAL_API_VERSION} - VK API version.
Example:
https://oauth.vk.com/authorize?client_id=123456&scope=wall,offline&v=5.60&response_type=token&redirect_uri=https://oauth.vk.com/blank.html
Note that redirect_uri=https://oauth.vk.com/blank.html is required to get token without the above mentioned limitations.
After you grand your application access to your account, access token without limitations will appear in your browser address bar. Just copy it, save in your configs and feel free to call any methods you want.
Late but...for this you need to first create a sort of "demo" app for VK using the standalone app type which would issue you an access token inside the address bar when you set the redirect link to https://oauth.vk.com/blank.html
This access token would allow you to share to your personal profile wall.
Then you need to contact VK support and display your app in action. Once they approve it then you'd be able to use a "Website" app that has OAuth style authentication
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
I have a scenario, where an authorised user through my application is posting status/uploading pictures via my application by granting required permissions. My application uses graph APIs.
Now, as app administrator if I want to see the content of the post, that the user has uploaded via my application. How do i do it?
I know in graph APIs, I have INSIGHTS api. But, it just gives us the statistics of the posts done via my app or user.
Can i really see the posts?
Assuming as an app admin I only have app access token and app ID. I dont store user access tokens with me.
Actually, I worked on the problem with every possible way. Found out that, even being an APP administrator I will need user access token (stored with me), without which these data shall not be retrieved via APIs.
My need was not to use user access token; But, no Its not possible via APIs as of now.
My question is related to, but not exactly, this question.
I am currently working on a business directory Web site (similar to Yelp), in which businesses have their own pages. Let's call this app DIRECTORY_APP.
Businesses might want to have their latest Facebook status update shown on their pages hosted on our directory. Let's pretend we have a business named BIZ_1. The assumption is that those pages are public pages.
Apparently the Facebook Graph API can be used for this purpose. So I can send a request to Facebook to retrieve the latest status updates for BIZ_1:
https://graph.facebook.com/BIZ_1_PROFILE_ID/posts?
access_token=DIRECTORY_APP_ACCESS_TOKEN
&callback=callbackName
However, if I use this from the client side, our Web site's access token will be exposed to the public, so this is not a reasonable solution.
Now in the aforementioned question, Anatoly mentions that we can retrieve the access token by sending this request first:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
However if someone inspects the Network log, this will also expose our Web site's access token (is this correct or is this a different type of access token?). This solution also exposes our web site's app secret (is this safe?).
So to summarize, what's a safe way in which I can retrieve the latest status update of a Web page from client-side without asking the browsing user to first log in to Facebook?
I can retrieve the latest status update of a Web page from client-side without asking the browsing user to first log in to Facebook
You cant do that without login.
And I guess access token is not exposed.
Maybe the smart trick here is to use a social plugin. The Like Box will do what you want, without any issues. But, it's not greatly customizable. Even so, it's possible to get it looking nice on a page!
It also skips any login issues you mentioned.
I found the answer after some Googling. In short, the answer is no.
And here's an excerpt from Facebook:
Security Best Practices
App Secret and App Access Token
The App Secret is used in some of the Login flows to generate access tokens and the Secret itself is intended to secure usage of your App to only those that are trusted. The secret can be used to easily create an App Access Token which can make API requests on behalf of any user of the app, which makes it extremely important that an App Secret is not compromised.
Therefore the App Secret or an App Access token should never be included in any code that could be accessed by anyone other than a developer of the app. This applies to all methods of code that are not secured like client-side code (such as HTML or Javascript) or native apps (such as iOS, Android or Windows desktop apps) that could be decompiled.
We recommend that App Access Tokens should only be used directly from your app's servers in order to provide the best security. For native apps, we suggest that the app communicates with your own server and the server then makes the API requests to Facebook using the App Access Token. For this reason, if your 'App Type' under Advanced Settings in the App Dashboard is set to Native/Desktop we assume that your native app contains the App Secret or an App Access Token in the binary, and we do not allow calls signed with an App Access Token to proceed. The API will behave as though no access token was provided.
If your App Secret is compromised, you should reset it immediately in the Basic Settings of your App Dashboard.
I am trying to understand, how facebook authentication works and how the flow should look like. I am working with Google App Engine and I have managed to obtain first the code and then access token. Using it I can for example retrieve user's friends list. This is all cool.
However, how can I store this access_token? I wan to allow my user to access different pages in my facebook app and I will need this access token on those pages. How can I store it and how can I retrieve it? Or maybe no matter which page user accesses I first need to get the code and then access token and only then can I perform some operations on his behalf?
I don't want to use javascript sdk for now. Is it possible to do it all from server side?
how can I store this access_token? I
wan to allow my user to access
different pages in my facebook app and
I will need this access token on those
pages. How can I store it and how can
I retrieve it?
just store the access_token in the datastore.
https://github.com/facebook/python-sdk/blob/master/examples/appengine/example.py
line 50.
It is from the facebook python sdk.
https://github.com/facebook/python-sdk/
If you don't want to use javascript sdk, you need to see this document. It has all details for facebook Oauth.
http://developers.facebook.com/docs/authentication/
While facebook redirect your user to your page assigned by redirect_uri. It will give your the code (A_CODE_GENERATED_BY_SERVER), then your server can get the user's access_token/facebook id with server side facebook api + code. Then you can login your user (set the session/cookie) and do whatever you want.