Is there a way to request a new secret key for Facebook via the facebook API? Essentially I would be using my own secret key to request a NEW secret key, for key rotation purposes.
I looked through the Facebook API documentation but could not find anything about this operation. I suspect they won't support it, but I would just like to confirm that there isn't an automatable way to rotate your API keys? Thanks!
I assume you mean "Access Token" when you say "Key", and you are talking about "User Access Tokens"? That´s not possible, you can only get a new User Token on user interaction. More information:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
Not sure what you mean with key rotation, but the User Token is the only "Key" that can´t be valid forever, so i guess that´s what you are talking about...
Edit: Seems that you are indeed talking about the "App Secret", which can not be changed with the API but you can change it in your App settings. A rotation only makes sense if someone got your App Secret by accident or if some security issue happened. Better read this and only allow API calls server side: https://developers.facebook.com/docs/graph-api/securing-requests#appsecret_proof
Related
I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
so I'm trying to follow the docs in FB about creating and publishing custom actions
https://developers.facebook.com/docs/opengraph/using-object-api/
so I have an app with proper publish_actions permissions, I have the app access token so I try to create an object from with something similar like
("33333333/objects/app-namespace:action", "POST", array("object" => "{"title":"Chicken Enchiladas","image":"http://upload.wikimedia...", "access_token" => "LONG APP ACCES TOKEN"))
the acces token is correct, the user ID is correct, the namespace and the action is correct, an the rest of the params are correct, like I said I follow the docs, but I keep getting
(#10) Application does not have permission for this action
I wonder why???, should I only use user access token instead of the app access token, the docs mention I can use both if I have proper permissions, thanks for any help!!
Make sure,
TOKEN is an "App Token" and NOT a User "Access Token". For example, on the Graph API Explorer there are two buttons to get tokens. One for "App Token" and one for User "Access Token". Make sure you use "App Token".
POST is to "app/objects" not "33333333/objects". You don't actually specify the app-id. It already knows that from the token.
That should fix ya.
Creating objects is distinct from creating actions and 'publish_actions' permission is about the latter.
I do not know which permission you'd need for creating objects, but another solution to this problem is to inline your objects inside the actions. I.e., you'd be posting against a URL of the form 'user_id/app_namespace:action_name' rather than 'user_id/objects/app_namespace:object_type_name', while everything else stays pretty much the same.
We have a website where the only way to login and authenticate yourself with the site is with Facebook (this was not my choice). The first time you login with Facebook, an account gets automatically created for you.
We now want to create an iPhone application for our site and also a public API for others to use our service.
This question is about how to authenticate with our website from the app/API and is broken into 2 parts:
What is the correct way to handle REST authentication from an API to a website which only uses Facebook OAuth as an authentication method?
I have read and researched a lot about standard methods of authentication for REST API. We can't use such methods as Basic Auth over HTTPS, as there are no credentials for a user as such. Something like this seems to be only for authenticating applications using the API.
Currently, the best way I can think is you hit an /authorize end-point on our API, it redirects to Facebook OAuth, then redirects back to the site and provides a 'token' which the user of the API can use to authenticate subsequent requests.
For an official application that we create, we wouldn't necessarily need to use the public API in the same way. What would be the best way then to talk to our website and authenticate users?
I understand (I think) how to authenticate 3rd-party applications that are using our API, using API (public) keys and secret (private) keys. However, when it comes to authenticating the user who is using the app, I am getting rather confused about how to go about it when the only way we have to authenticate a user is Facebook.
I feel like I'm missing something very obvious, or don't fully understand how public REST APIs should work, so any advice and help would be greatly appreciated.
UPDATE: see below
I've been thinking hard about this question too. It's not entirely clear to me yet but here's the route I am thinking of going. I am creating a REST API an my users only auth with Facebook connect.
On the CLIENT:
Use the Facebook API to login and get an OAUTH2 code.
Exchange this code for an access token.
In every call to my custom API I'll include the Facebook user id and the access token.
On the API (for every method that requires user authentication):
Make a request to the /me Facebook graph using the access token from above.
Verify that the Facebook user id returned matches the user id passed to my API from above.
If the access token has expired additional communication is required.
I have yet to test this. How does it sound?
--- Update: July 27th, 2014 to answer question ---
I only use the above exchange once upon login. Once I determine which user is logging in, I create my own access token, and that token is used from that point going forward. So the new flow looks like this...
On the CLIENT:
Use the Facebook API to login and get an OAUTH2 code.
Exchange this code for an access token.
Request an access token from my API, including the Facebook token as a parameter
On the API
Receive access token request.
Make a request to the /me Facebook graph using the facebook access token
Verify that the Facebook user exists and match to a user in my database
Create my own access token, save it and return it to the client to be used from this point forward
This is my implementation using JWTs (JSON Web Tokens), basically similar to Chris' updated answer. I have used Facebook JS SDK and JWT.
Here's my implementation.
Client: Use Facebook JS SDK to log in and get the access token.
Client: Request JWT from my API by calling /verify-access-token endpoint.
MyAPI: Receives access token, verify it by calling /me endpoint of Facebook API.
MyAPI: If access token is valid, finds the user from database, logs in the user if exist. Create a JWT with required fields as payload, set an expiry, sign with the secret key and send back to the client.
Client: Stores the JWT in local storage.
Client: Sends the token (the JWT from step 5) along with the request for the next API call.
MyAPI: validate the token with the secret key, if token is valid, exchange the token for a new one, send it back to the client along with the API response. (No external API calls for verification of the token here after) [if the token is invalid/expired request client to authenticate again and repeat from 1]
Client Replaces the stored token with the new one and use it for the next API call. Once the token expiry is met, the token expires revoking access to API.
Every token is used once.
Read more answers about security and JWT
How secure is JWT
If you can decode JWT how are they secure?
JSON Web Tokens (JWT) as user identification and authentication tokens
I am trying to answer the same question and have been going through a lot of reading recently...
I won't have "the" answer but things are getting a little clearer for me. Have you read the comments in the article you mentioned? I found them really interesting and helpful.
As a result, and in the light of how things have evolved since the first article has been written, here's what I think I'll do:
HTTPS everywhere — this allows you to forget about HMAC, signing, nonce, ...
Use OAuth2:
When authentication requests come from my own apps/website, use this 'trick' (or a variation of it) described in a reply to the article mentioned before.
In my case, I have two types of users: those with classic login/password credentials and those who have signed up with Facebook Connect.
So I'd provide a regular login form with a "Login with Facebook" button. If the user logs in with his "classic" credentials, I'd just send these to my OAuth2 endpoint with a grant_type=password.
If he chooses to log in via Facebook, I think that would be a two-steps process:
First, use Facebook iOS SDK to open an FBSession
When that's done and the app is given back control, there should be a way to get a Facebook ID for that user. I'd send this ID alone to my OAuth2 endpoint with an extension grant understood by my server as "using an FB User ID".
Please note that I am still heavily researching on all this stuff, so that might not be a perfect answer... maybe not even a correct one! But I think that would make for a good starting point.
The idea of using an "extension grant" for the Facebook authentication might involve having to register it to do things properly? I'm not quite sure.
Anyway, I hope I was able to help you even a bit, and that at least it can start a discussion to find the best solution to this problem :)
Update
The Facebook login is not a solution as pointed in the comments: anybody could send an arbitrary user ID and log in as this user on the API.
What about doing it like this:
Show a login form with a "Facebook login" button
If this login method is chosen, act kinda like the Facebook SDK: open a web page from your authentication server, which will initiate the Facebook login.
Once the user has logged in, Facebook will use your redirect URL to confirm; make that URL point to another endpoint of your authentication server (possibly with an extra parameter indicating the call came from an app?)
When the authentication endpoint is hit, the authentication can securely identify the user, retain its FB User ID/FB Session and return an access token to your app using a custom URL scheme, just like the Facebook SDK would do
Looks better?
this might seem like a repeat of a question that has been answered elsewhere, but I have ran into those answers and they're not helping...
so I keep getting this response (from https://graph.facebook.com/oauth/access_token) on my final part of the oauth login process (I've acquired the "code" received after approving the app via the facebook authorization dialog):
{"error":{"message":"Error validating login secret. Since your application has a login secret in addition to a secret key, you must use the login secret and not the secret key with OAuth.","type":"OAuthException"}}
other answers to this question are mentioning disabling the 'Forces use of login secret for OAuth call and for auth.login' option in the app settings. however that option is not in my settings (settings->advanced). the same issue is mentioned here not able to get the access token
"login secret" as a concept is not being mentioned anywhere in the facebook api docs.
anyone have any ideas? I would really appreciate it...
thank you
addition:
Im not using any library but instead directly communicating with the FB api via python
I guess you are using old api, try downloading latest version form here.
Now fb do not have secret key concept.
Is it possible to decrypt Facebook's new OAuth 2.0 access_token ?
I need to somehow get user_id and app_id from the access_token.
PS:
I need to get the user_id and app_id ONLY from the access_token as Facebook Linter used to do.
As others have already pointed out, the access_token is a unique random string, so it cannot be decrypted as such. Also, we all know that the user_id and app_id are prerequesites to generate the token in the first place.
However, let's assume you stored your token(s) in a database and lost the associated user_id and app_id. In that case, it is a valid question on how to retrieve them having only the token at hand. If your token is still valid, this is possible. If it is expired, you're out of luck.
To retrieve the user_id, make a call to:
https://graph.facebook.com/me?fields=id&access_token=xxx
To retrieve the app_id, make a call to:
https://graph.facebook.com/app?fields=id&access_token=xxx
In both cases, the associated id's will be part of the JSON response, regardless of the access_token being an encrypted or unencrypted one.
Let's illustrate this with an example. Let's assume Mark Zuckerberg uses the Graph API Explorer to generate an access_token. Calling the /me endpoint gives you:
{
"id": "68310606562"
}
and calling the /app endpoint gives you:
{
"id": "145634995501895"
}
The ids you were looking for are part of the response.
Please note that this does not work with the access_token shown on https://developers.facebook.com/apps (not sure if this is a Facebook mistake or intentional). Please use the access_token that your app receives via OAuth.
If the access token is in the encrypted format, there's no programmatic way to determine the User ID and App ID.
I struggle to think of a legitimate way you could have come across an access token without already having those two pieces of information since presumably you know your own App ID and the User ID you stored the access token against.
Nevertheless, assuming there's a legitimate use-case for this:
a call to /me?fields=id will return the user ID and/or you can use the debug tool at https://developers.facebook.com/tools/debug to debug the other properties of the access token
Generally you use the access_token to access other data from your application. So for example, your application would authenticate the user then use the access token to access other functions in FB's API, such as the graph:
https://graph.facebook.com/me?access_token=<access_token>
There is no public way of decrypting an access token to get the user id and app id. This is also very likely a massive breach of Facebook policy.
To get an access token in the first place you have to have access to the user and the app id anyway so you shouldn't need to do this. If you don't actually have access to the user or the app id then my guess would be you probably shouldn't even have their access token and have probably obtained it 'illegally'...
This is actually a very simple task, if you look closely at the access token itself. It consists of 3 segments, separated by a pipe character, |:
APP_ID|SOME_STUFF.NUMBER-USERID|SOME_MORE_STUFF
I'm not sure what SOME_STUFF, NUMBER, and SOME_MORE_STUFF are; presumably timestamps, signatures, or other encoded data that facebook uses to keep track of the access_token's validity and so on.
Unless you've obtained the acces_token in question by fowl means, I don't see a problem with being able to access the APP_ID and USER_ID from them (and neither does Facebook, apparently). So all I'll say on that is be responsible :)
The other thing to keep in mind is that this isn't a standard or anything, and is subject to change. So, watch out for that, too.
you don't have to decrypt accesstoken
As far as AppID is concerned,you should get it from facebook whn you make an app there,its your id to connect to facebook.
facebook sends the userId along with accesstoken..
just check your cookies in browser or in oauth case check entire string returned when request for acess token.
Are you sure you're talking about the Access Token here and not the signed request?
When you're Facebook Application is loaded you have a signed request object, which has the information I believe you are looking for (however if the user has not authorized your application their user ID will not be in the signed request, Facebook security)
The only way currently available is to use to Facebook Access Token Lint Tool.
You can consider to automate the process.