Since v 2.* of Facebook's login/oauth api, the UserName field has been dropped. Sad but fine (and yes, the reason was because of facebook email spam).
I've read about how some people are using the userId plus some other route to determine the username.
I thought it was https://www.facebook.com/<userId> which then does a redirect to https://www.facebook.com/<userName>. When I try this, I get a 404 :/
Also, when I retrieve my own user data from v2.4/me endpoint, I have a property in the json payload that is:
"link": "http://www.facebook.com/<myuserid>"
Trying that link also 404's. (Notice the http is not secure. going there does a 307 redirect to https ... but then I get the 404).
Can anyone tell me the route/endpoint I need to use, please? Or what i've done wrong?
You are not supposed to use the username for anything anymore, it is only possible to get it by scraping the profile page of the user, which is not allowed: https://www.facebook.com/apps/site_scraping_tos_terms.php
Some platforms are doing that, and you should report them to Facebook.
If you want to identify the user, just use the App Scoped ID you get after authorizing him.
Related
I've spent the better part of a day researching this and thought I could figure this out on my own, but no luck.
Here's the situation, I have FB authentication in a mobile app. This is working fine. A user can log in and I can access the public profile data, etc.
The issue is that I would like to have NEW users or first time logins to create new records in my private database, because I am looking to store more than email, and FB id. For example, favorite items. I can also accomplish this easily enough with a post to (www.mywebsite.com/api/users/).
So, the REAL issue is that I don't want to have a route that simply allows people to add users to my database, willy-nilly.
Is there a way to pass the access token to an API route to ensure that a user can only add a new user-record to the db IF they have a valid FB login?
I've set up the famous "auth/facebook" route that is popular on the web which also works great, until I access it from my app. It then throws X-origin errors (I believe in part due to the callback route).
this post was similar, but still doesn't quite cover it.
Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
Please help!
Thanks,
Wayne
After another two days of digging, I found a rather simple solution.
The facebook graph API will allow you to submit the access token to recieve basic user data.
So my solution is now this:
1. Use cordova-facebook4 plugin to authenticate within the app. (You can find details here: https://github.com/jeduan/cordova-plugin-facebook4
2. Send the FB id AND authentication token to my server route, like this: `myapiserver.com:1234/auth/facebook/<token>/<id>`
3. On the server side, send an ajax request to https://graph.facebook.com/me?access_token=<token received from the
cordova plugin>. This will return the name and FB ID as JSON.
4. On the server, compare the ID returned from facebook to the ID sent with the request. If they match, add the new user, if not, do
not add the user and return an error. Of course, the server will
not allow a new account to be added to the system if that FB id is
already in use.
At this point, it seems that the worst harm that could be done is for someone to hack another person's FB account, get their token and ID and THEN use that to create a user on my system for that person. Which seems pointless enough that I'm not going to worry about those attacks.
Please comment if you know of a better solution or I missed a security vulnerability.
Ref: How to get the Facebook user id using the access token
when I do a get request to
https://graph.facebook.com/[userid]
with the access_token i get all the basic info
but when I do
https://graph.facebook.com/me
with the same token i get an error message: An active access token must be used to query information about the current user
I have tried to under stand what can cause that.
I even tried to token that comes with the signed request
I'm on classic asp, with JSON library, I want the auto to be server side if possible. the FB.api("/me" is working but it is not what i really want to achive
I am pretty sure you donĀ“t have a user access token. Did you login the user? Of course you get the public data of every user with your first link, even without any access token. You can even put it directly in the browser and will get results. But for "/me" you have to authorize the user to your app.
See here: https://developers.facebook.com/docs/howtos/login/server-side-login/
It is the same problem as in the other thread for sure, just a different Programming language.
Remember: If the user did not accept at least the basic permissions in a dialog or redirect, he is not logged in and you will never know anything about him in the app (except for some specifics in tab apps, like language, like-status and stuff).
We're using the Facebook JS SDK to authenticate users to our application, then sending that information to the server back end to log our user into the application (we support multiple forms of authentication but we can only support FB using a client side flow).
FB is able to log in correctly, I'm able to authenticate the user and everything else, but there's one wrinkle that I'm not sure how to handle, and I'm having difficulty finding anything in the documentation about it. Facebook sends back an accessToken in addition to an id. My question is, how do I verify on the server side that the accessToken is correct for the given id? I want to make sure that the data the user sends us matches what Facebook sent them, and I can't imagine this is that out of the ordinary, yet I can't seem to find any documentation on it.
In the response from Facebook should be a signed_request string that can authenticate that the data is genuine with and decoded to yield the user id and an oauth token for the user.
Passing this along with the other response to your server-side code should allow you to validate everything pretty easily.
May I suggest this answer from another question! It uses try-catch. It is probably the only way to verify that the authentication and the permissions are valid! That's how they do in their examples
Facebook OAuthException: (#1)
I dont think facebook provides any other way of checking
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.
I feel like every second question i ask here is relating to Facebook Connect - that says a lot about their API. Anyway, that's politics, i digress..
I'm trying to pull back user details from the Graph API for use in my application (which is an FBML external website - JavaScript SDK for authentication).
I have requested the following permissions from the user: (using the regular dialog)
publish_stream
email
This works, and allows me to post to the user's wall, and grab their email from the Graph API.
But when i do a HTTP GET Request to the following URL:
https://graph.facebook.com/uid?access_token=oat (where uid = the user id of the user i'm attempting to grab details for, and oat = the OAuth token i have).
All that comes back in the JSON is the User ID (which i already have, since im putting it in the URL), and the email.
Why can i not get things like first name, last name, locale, etc?
Am i using the wrong URL? Is my OAuth token wrong?
I'm getting the OAuth token from here:
https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=myappid&client_secret=myappsecret
UPDATE:
It looks like the issue is my OAuth token.
Because when i go to the docs: http://developers.facebook.com/docs/api
And use the sample OAuth Token for the user im trying to retrieve, it gets all the details.
Anyone know what is wrong with my OAuth token call?
So, i was using the wrong URL for the OAuth Exchange. It needed to be this:
https://graph.facebook.com/oauth/exchange_sessions?type=client_cred&client_id=myappid&client_secrete=myappsecret&sessions=userseshid
The URL that i WAS using was as per the doco, the above one that works is nowhere to be found.
I'm at the point with FBC that i no longer care about the how, if it works, be thankful that it does even that and move on.
EDIT:
Also, i was wondering why the Graph API calls would "stop" working for no reason.
The answer is i needed to compare the Session Key used to obtain the OAuth token, with the Session Key currently in the cookies. If they are different, i needed to get a new OAuth token.
The session key used for any OAuth token is part of the actual OAuth token:
aaa|bbbb|cccc
Where bbbb is the session key. So i just compare that before doing any Graph API calls.