Facebook API call insufficient privileges - facebook

I'm testing Facebook Ad Manager API from commandline curl.
To get the access token, I did this API call:
curl \
-F "client_id=$APP_ID" \
-F "client_secret=$APP_SECRET" \
-F "grant_type=client_credentials" \
https://graph.facebook.com/$API_VERSION/oauth/access_token
It returned successfully.
But then, when making this call to create a new campaign:
curl "https://graph.facebook.com/$API_VERSION/act_$ACCOUNT_ID/campaigns?name=$CAMPAIGN_NAME&objective=VIDEO_VIEWS&status=PAUSED&access_token=$ACCESS_TOKEN"
I always get an error:
(#10) You do not have sufficient permissions to perform this action
I guess that it must be caused because I did not granted the right permissions to the App. It is just a test app and I cannot find how to grant these permissions.
Thankyou very much for your help.

You ask for permissions with the scope parameter. It is a comma separated list of permissions: https://developers.facebook.com/docs/facebook-login/permissions
Permissions for ads are ads_read and ads_management.
HereĀ“s more information about building a manual login flow: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow

Related

Facebook device/login returning access token but without the requested permissions

I am sending a request to the Facebook device/login API via curl using a shell script as documented in the Facebook Login for Devices page:
curl -i -X POST https://graph.facebook.com/v14.0/device/login -F 'access_token=${app_id}|${client_token}' -F 'scope=ads_management,business_management,instagram_basic,instagram_content_publish,pages_read_engagement,pages_show_list,public_profile'
(The app_id and client_token are properly filled in.)
I get back the response such as
{
"code": "f4ee7axxxxxxxxxxxxxxxxec4b8e28eb",
"user_code": "PXXXXXXQ",
"verification_uri": "https://www.facebook.com/device",
"expires_in": 420,
"interval": 5
}
In my browser, I open a fresh private page and go to https://www.facebook.com/device, log in, and enter the user_code (e.g. PXXXXXXQ), and it completes successfully.
I then "poll" device/login_status via this curl command:
curl -i -X POST https://graph.facebook.com/v14.0/device/login_status -F 'access_token=${app_id}|${client_token}' -F 'code=f4ee7axxxxxxxxxxxxxxxxec4b8e28eb'
and get back a response with an access token:
{
"access_token": "EAAKxxxxxxxxxxxxxxxxxxxxxuuu",
"data_access_expiration_time": 1663078272,
"expires_in": 5183984
}
I then put the access token into the Access Token Debugger and find that it only has the two basic permissions of pages_show_list and public_profile. The other permissions are not granted.
I'm assuming I do not have my app configured properly. So far, the Facebook support has punted on the question so I'm turning here for help. I have "Enable Login for Devices" as the API page says in Step 1. I have "Facebook Login", "App Events", and "Instagram Basic Display" in my "Products" list. I don't see any warnings or flags on any of the app's pages. My "Test User" is a real Facebook user listed as in a Tester roll in the app.
Ultimately I want to use the Instagram media API. As a simpler test of the access token, I was trying to use the {page_id}?fields=instagram_business_account as a test and it wasn't working. Some pages suggest disconnecting and reconnecting the Instagram user and other things but I think the problem originates with the access token not having sufficient permissions.
I have also tried just requesting the permissions needed for the {page_id} and got the same results.
What changes do I need to make to get an access token via the device/login API that has more than just pages_show_list and public_profile permissions?

Facebook Graph API does not verify appsecret_proof correctly

I have a server application that receives a user access token from the client and generates an appsecret_proof. I would like to make a graph API call in order to verify that the received access token is valid:
curl \
-F 'access_token=<my access token>' \
-F 'appsecret_proof=<my appsecret_proof>' \
https://graph.facebook.com/me
However, when I omit the appsecret_proof field the request is still verified. In both cases the response is:
{"success":true}
If I intentionally pass an invalid appsecre_proof it works as expected:
{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}
I have made the neccessary changes in the Advanced settings:
According to the Facebook documentation: "When this is enabled, we will only allow API calls that either include appsecret_proof or are made from the same device the token was issued to."
"Once you've changed that setting, an attacker will not be able to use stolen access tokens without access to your app secret."
What am I missing here?
appsecret_proof is not same as the APP SECRET KEY.
Based on FB documentation, this is how it needs to be obtained:
go to http://www.freeformatter.com/hmac-generator.html#ad-output
in the message area, put the access token
in the secret key, put the APP secret key
Choose SHA256 as the digest algorithm
Generate the HMAC
You can use this generated HMAC as the my appsecret_proof in (for example):-
curl \
-F 'access_token=<my access token>' \
-F 'appsecret_proof=<my appsecret_proof>' \
-F 'batch=[{"method":"GET", "relative_url":"me"},{"method":"GET", "relative_url":"me/friends"}]'
https://graph.facebook.com/me
Omitting the appsecret_proof field might help but in certain regions, FB API demands for it and this is how you need to provide it

How to programmatically publish to a facebook feed for a liked webpage?

I'm trying to get this to work: https://developers.facebook.com/blog/post/465/
Step 1: I'm getting an access token:
https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=myAppIdclient_secret=myAppSecret
Step 2: I'm posting via curl
curl -F 'access_token=myAccessToken' -F 'message=Hello World!' -F 'id=http://example.com' https://graph.facebook.com/feed
Where myUrl is say http://example.com
I am getting this error, does not resolve to a valid user ID:
{"error":{"message":"(#100) http:\/\/example does not resolve to a valid user ID","type":"OAuthException","code":100}}
Step 3: If I first post my url to the linter, and get its ID:
https://developers.facebook.com/tools/debug/og/object?q=http%3A%2F%2Fexample.com
https://graph.facebook.com/10150096126766188
curl -F 'access_token=myAccessToken' -F 'message=Hello World!' -F 'id=10150096126766188' https://graph.facebook.com/feed
Then I get 'The user hasn't authorized the application to perform this action' error:
{"error":{"message":"(#200) The user hasn't authorized the application to perform this action","type":"OAuthException","code":200}}
From the Facebook Graph API docs:
Most write operations require extended permissions[1] for the active user.
See the authentication guide[2] for details on how you can request extended
permissions from the user during the authentication step.
1 https://developers.facebook.com/docs/authentication/permissions
2 https://developers.facebook.com/docs/authentication/
Going by the blog post this is done via an app, for this to work the app needs the extended permissions 'publish_actions' and 'publish_stream' in order to make posts/comments/likes/links

daily post to application users wall

i want to post daily note to facebook user profile which using my facebook application via it's own. how can i do it?
Since you didn't provide what language or what you've tried so far, these are quick tips to get you started:
Ask for the publish_stream permission
Then using your SDK or the technology you are using (source):
curl -F 'access_token=...' \
-F 'subject=This is a note' \
-F 'message=Test note.' \
https://graph.facebook.com/PROFILE_ID/notes
No need for the access_token parameter.

Facebook - How can i make API calls on behalf of a user?

Okay.. i got the offline access session key
Can some please tell me how can i update my FB status using the offline access session key i have ?
Looked in the Graph API and PHP SDK but nothing helps
I assume when you say 'offline access session key' you mean the oauth access token.
Take a look at the 'Publishing to Facebook' section here: http://developers.facebook.com/docs/api#publishing
There is even a short example using curl:
curl -F 'access_token=...' \
-F 'body=Hello, Arjun. I like this new API.' \
https://graph.facebook.com/arjun/feed