I am currently developing an app to manage my clients' Facebook AdAccounts. The usual workflow is to, among other things, individually authorize each AdAccount I want my app to have clearance to, by use of the dashboard at https://developers.facebook.com/apps/. The usual path is you click on your app -> Settings -> Advanced and scroll down until you find the Advertising Accounts panel. Then you click on the top-right button called Ads API and use the modal to manually include the Ad Account IDs to which you want to have API permissions.
However, this app is intended to manage dozens or hundreds of Ad Accounts, and it's supposed to manage this programmatically, as per the app's requirements. I looked all over the place and couldn't find any endpoints or wrappers in any programming languages to do that and I've been stuck for a few days now... so I was wondering if you guys could help me somehow.
That place you're referring to only applies to apps with 'Development' or 'Basic' access to the API
If you apply for and receive 'Standard' access, that dialog isn't necesssary, and your app can make API calls on behalf of any user who grants your app the ads_management permission
I.e once a user grants your app access to their accounts, you use their access token to access any accounts they are able to manage, on their behalf; it's only in the lower access levels of the API you need to provide a fixed list of Ad Accounts you'll be managing
Take a look at the Business Manager APIs. They're intended for the use case you mentioned (managing other accounts).
https://developers.facebook.com/docs/marketing-api/businessmanager/v2.6
Related
I am creating an app that only a specific list of users will use, and I need Instagram Public Content Access permission (and some other permissions) for them (I have my Instagram Business Account all set up and connected with Facebook page).
On https://developers.facebook.com/docs/facebook-login/review/examples/#screencast there is stated:
You do not need to submit your app if it will only be used by you or
by a reduced number of people. Any account listed in the Roles tab in
your App Dashboard, such as admins, developers and testers, can access
all permissions and generate a user or page access token.
So I just want to make sure, that it is completely fine in my case to keep my app in development mode and let my users use it like this (so I don't need to submit my app for review as long as all the users are going to have their role assigned in my app), and that these permissions are not intended just for a limited time period or only for testing/development purposes.
Thank you for any answer.
What you quoted there, is applicable to permissions your app is going to ask its users to grant to it.
Instagram Public Content Access is not a permission, it is a feature. You need to get it reviewed, if you want your app to be able to access content that the users of your app do not have admin access to.
https://developers.facebook.com/docs/apps/review/feature/#reference-INSTAGRAM_PUBLIC_CONTENT_ACCESS
Facebook provides an OAuth authentication system for third-party apps but they appear to not provide any fine-grained user management capabilities.
This seems like a security problem. I need to be able to:
Disable delete unused accounts
Disable or delete abusive users
White list users for early access to a new app.
But AFAICT FB provides no tool to do this.
I can probably hook of of the OAuth ID and put an entry in my database for the first two requirements, but I can't figure out how to white list Facebook users.
Google is unhelpful because all the results are about let users manage applications their user account is attached to, and nothing about allowing apps to manage what user accounts they are attached to...
Usually is a bad idea to delete or disable unused accounts, because maybe user was inactive for a long time, this doesn't mean the user deleted or disabled his account.
On the other hand, you can't avoid malicious users join your app via facebook authentication. What you can do is to detect suspicious activities with your own implementation (after Facebook accept them to join your app), and suspend, block or disable those accounts on the server (blacklisting them), after the user has joined client-side and sent the required access-token (optionally request the ID) trying to be accepted by the server.
Whitelisting users may depend on the requirements of your application, you can check profiles data and reject those that doesn't provide the requirements that your app needs (remember to ask the user for the fields that your app requires, like public profile, pictures, etc; these must be accepted by the user before signing in).
Here's how you white list users for an app on Facebook:
Keep the app in Development mode
Add users from your friend network in the Testers role
When you are comfortable, open your application to the world.
AFAICT you cannot white list when your app is published, but that's the point of publishing. Also the whitelist is not a request-grant method, it's invite only.
The other requirement to delete or disable users you must handle yourself in your database. You would tie the user's status to the FB's unique ID.
I have read IdentityServer documents and see that aims to manage resporce authorizaiton. And I want to learn that can I use this for my enterprise Api? For example I have Finance and IT department controllers in my API. Should I create 2 scopes for them? If I do, after the login screen will show permissions screen. Check or Uncheck Finanace and IT checkboxes. Can I hide these scopes from user?
Scopes model resources, and then you can configure clients to be allowed to request access to those resources. So one reason you break APIs into different scopes is so you can configure which clients can access which APIs. So if you don't want your Finance apps to access the IT APIs, then yes, sounds like those would be two different scopes.
As for showing consent to the user, you can disable the entire consent screen per-client in the Client configuration. This makes sense when it's your client app accessing your APIs on behalf of your users (IOW everything is first-party).
I have a Facebook App that uses only one permission: ads_read. What is the simplest way to make it work when it comes to authorization? I see that there's an option to authorize particular ads accounts to the app, but is there any easier way for read-only access? I will have multiple ad accounts there and I am the admin of all those. I would like to be able to use them all without authorizing them separately from the Facebook GUI.
Is it possible?
You probably have "Development" access to the Ads API, if so, you need to do this manually at the Facebook App settings (Advanced option). The limitation for this is that you will be able to add your App only to other Apps that you admin.
If you want to allow other Apps you don't manage to use your App, you need a higher level of access.
You can see more info about access level here:
https://developers.facebook.com/docs/marketing-api/access
You can request a higher access level using this link:
https://www.facebook.com/business/standardadsapi
I hope it helps.
I can't figure this out, I hope someone here can point me in the right direction. I've searched for an answer but was unable to find it.
I want to create a Facebook app which would manage ads (download ads reports and statistics). I've got user account, registered as developer, created and whitelisted the app. I've got only Development Access and that means means I can query only ad accounts owned by the admins of the app, set up in the account list associated with your application.
Problem is that the account with ads is a business account so I can't add this account as part of developers team and get the statistics. I get permissions errors when trying to access the business account (I have access token and everything, it just won't let me see the ads data due to insufficient permissions).
Is there a way to do this without applying for Basic access (not sure if I'll get it since the app is not done)? Can't I really somehow connect my developer's account with that business account?
About access limits: https://developers.facebook.com/docs/reference/ads-api/access/v2.2#limits
Seems like this is working correctly - you can build and test the app against accounts administered by your app's admins/developers at first
Once it's working you can submit it for approval to the Basic access level, where you can manage more accounts, including those belonging to users who aren't admins/developers of the app
There's more information about the access levels and how to move between them in the Access levels dovumentation