Assuming I satisfy the criteria to scrape FB legally which type of Access Token do I use when issuing the requests?
User Access Token
App Access Token
Page Access Token
Client Token
I'm using a typically configuration to scrape, a server running a daemon in cron. Ideally, it'd be un-associated with my personal FB account. I'm just trying to get information about user-specified public page's public events: location, title, description, start_time and end_time.
If I want to make the daemon not-specific to my personal account, or a page I need a client token, or an app token? But, unlike the app token the client token doesn't require OAuth? Which is what I want. The daemon will run on a secure server, so the secret won't be discoverable. Is that correct? Is the Client Access Token the best for my use case?
If you are scraping public pages with no interest in user data or information, all you need is the app access token. This will give you access to any publicly available info such as pages, events etc.
The easiest way to use an app access token is to append the App ID and App Secret as follows: app_id|app_secret
You can then use to access a public page, e.g.:
https://graph.facebook.com/page_id/events?access_token=app_id|app_secret
There is also no need to ever refresh or update the app access token unless you reset the app secret.
A good way to learn what data you can access with which token(s) and permissions is Facebook's graph explorer tool: https://developers.facebook.com/tools/explorer/
As far as which token to use, https://developers.facebook.com/docs/graph-api/reference/event/ suggests:
Any access token can be used to retrieve events with privacy set to OPEN.
A user access token with user_events permission can be used to retrieve any events that are visible to that person.
An app or page token can be used to retrieve any events that were created by that app or page.
Related
I'm creating a webpage for a business, I want to pull specific information via facebook (business hours, etc). I'm successfully doing that through Graph, however I have to regenerate a new token because they expire.
https://developers.facebook.com/docs/graph-api
Is there anyway for me to have a token that doesn't expire like an API integrator key would work with other integrations? I don't have an app and I don't want a user to log in, I can use my login creds to authenticate the webpage to access the access code if needed.
All of the information I read is that you have an app that has the user log in and generate an access token on their behalf.
(this is for 100% GET requests, no POST requests)
Each user who allow permission to my app will have an access token
or
One access token can handle actions, for example, upload photos to an user album?
I know that an access token can expire up to 60 days,
so do I need save this access token for each user on my database and when request comes from that user, load the access token for him?
Each user who allow the app will have an access token, which will include all the permissions user has granted to your app.Read more about user access tokens here
Each user who allow permission to fb app, will have different Access Token which will be unique.
The Access Token is generated on the basis of browser session from client, AppID and App Secret. In a web server based application, it is not absolute requirement to save application token for user. But application like HootSuite saves user credentials and access token for later use to get facebook feeds and other services.
So it depends on application requirement.
Thanks
Each user sends you another access token in context to use User session of course.
An access token is a random string that provides temporary, secure
access to Facebook APIs.
A token identifies a User, App or Page session and provides
information about granted permissions.
And in User Access context:
You can use this token to perform API calls on behalf of a user,
including reading, publishing and deleting, depending on the
permissions your app has. For example, you can retrieve a user's
friend list or publish a new photo to their timeline with a user
access token.
http://developers.facebook.com/docs/concepts/login/access-tokens-and-types/
Yes, you have to remember this access token if you dont want to reconstruct it. But in many API's this is done "automagically", for e.x. in PHP SDK the access token is stored in user cookie. If you implement more complicated user-flow, you have to remember access token OR regenerate it each time (http://developers.facebook.com/docs/concepts/login/login-architecture/). Remember, that access token will expire and you will have to regenerate it (on the faith of already granted permissions).
FYI: If you want to preserver offline access (executing application activities without user session), you will consider offline_access, but it is deprecated:
http://developers.facebook.com/roadmap/offline-access-removal/
Hope it revealed the problem.
I am creating a web application that is trying to use "public" Facebook content.
It is not your traditional "Facebook Application" because I'm not actually signing up Facebook users to use it, but the users will be all server-side.
I've come to a point in which I am having to use an "access_token" for certain "public" pieces of content and I have been able to generate a app access_token but this does not work for the public data I'm interested in accessing.
access_token's created via
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials
do not work for
https://graph.facebook.com/chickfila/notes?access_token=CODE_FROM_ABOVE
which is publicly accessable w/o login here...
http://www.facebook.com/ChickfilA?sk=notes
Any way to give an app itself a user-level access_token?
I had a very similar problem with publicly available event data. What I had to do was to create an offline access token for the admin of the application.
So, log in with your admin and open the following URL (replace APP ID with your ID and eventually you need more permissions, but read_stream and offline_access should do the trick):
https://graph.facebook.com/oauth/authorize?client_id=APPID&scope=offline_access,read_stream&redirect_uri=http://www.facebook.com/connect/login_success.html
This will give you a code, that you will paste in the following URL (with your APP ID and SECRET):
https://graph.facebook.com/oauth/access_token?client_id=APPID&redirect_uri=http://www.facebook.com/connect/login_success.html&client_secret=SECRET&code=CODE
This will give you an access token that should work forever (or until you change your password).
Recently I used the access token freely available from the Facebook Graph Explorer which will let you browse different graph resources and will let you specify what permissions you need. For this you can tell it you want offline_access and that token can be used to pull this information whenever it is needed without worrying about your token expiring.
Create an user just for your app and let the user authorize your app and get the access token and use it for this kind of data fetching. Some manual work but as long as you have some user authorized access token you should be able get the public contents.
I wonder is it possible to access user's wall info without passing his/her access token?
for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.
Because I found some topics similar to that.
http://forum.developers.facebook.net/viewtopic.php?pid=9172
When I check Rest FB doc,it says like that.
http://restfb.com/javadoc/index.html
public DefaultFacebookClient()
Creates a Facebook Graph API client with no access token.
Without an access token, you can view and search public graph data but can't do much else.
I doubt that it will work or not without access token.
can everyone share me ideas or any possible similar approaches ?
Thanks.
You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)
Without token you can only access public information.
Public data
From RestFB homepage :
// It's also possible to create a client that can only access
// publicly-visible data - no access token required.
FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();
If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.
Private data
When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :
FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.
Get the user token
You cannot get the user token with RestFB. On the RestFB homepage, you can read :
Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens
Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).
What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.
Hope that helps !
Facebook changed their Graph API recently to require an access token. Therefore I quickly made a Facebook application to be able to retrieve an access token, use a URL similar to the one below, generated my access token and implemented the token in my iPhone application. Lately I have been thinking about if I have done something wrong. Should I request the access token everytime a user of my application retrieves data from the Graph API? I am starting to doubt whether or not the access token is unique to each user or just to the Facebook application.
Can I hardcode an access token into my application or should I make a request on the URL below every time I need to retrieve data through the Graph API?
I am generating my access token with the following URL:
https://graph.facebook.com/oauth/access_token?client_id=MYID&client_secret=*MY_SECRET*&grant_type=client_credentials
Access token granted by user have expiration time. If token expired then you need to request it again. But if you ask user to grant you "offline_access" permissions then you'll have almost not limited access token. You can store it in database or file and use next time.
Here FB documentation about permissions:
http://developers.facebook.com/docs/authentication/permissions/
Enables your app to perform authorized
requests on behalf of the user at any
time. By default, most access tokens
expire after a short time period to
ensure applications only make requests
on behalf of the user when the are
actively using the application. This
permission makes the access token
returned by our OAuth endpoint
long-lived.