How do you remove access to a Facebook app based on the client_id it used?
E.g. assuming someone clicks on a link that looks like this:
https://www.facebook.com/dialog/oauth?client_id=client_id_string&redirect_uri=
https://www.facebook.com/connect/login_success.html&scope=basic_info,email,public_profile,
user_about_me,user_activities,user_birthday,user_education_history,user_friends,
user_interests,user_likes,user_location,user_photos,user_relationship_details&
response_type=token
and all they have is the client_id_string how do they then revoke access via Facebook?
https://developers.facebook.com/docs/graph-api/reference/user/permissions
See "Revoking Permissions" in the docs. You canĀ“t remove the App itself, but you can remove permissions.
You can revoke a specific permission by making a call to a Graph API
endpoint:
DELETE /{user-id}/permissions/{permission-name}
This request must be made with a user access token or an app access
token for the current app. If the request is successful, you will
receive a response of true.
Related
I've made an application that use this scope (v. 2.4):
publish_actions,email,user_posts
when I try to autenticate my user (using the one that create the app) it shows me the three permissions to accept, correctly.
But when I use another user, it only asks to accept publish actions and email. user_posts is ignored. So I can't get the post of that user. This is the endpoint for autenticate users:
https://www.facebook.com/v2.4/dialog/oauth?response_type=token&client_id=MyID&redirect_uri=MyRedirectURL&scope=user_posts%2Cemail%2Cpublish_actions
What should I enable to make the application work (i.e. all auth) for all users?
To be able to request permissions from all users instead of only the app's admins/developers/testers, your app has to pass Facebook Login Review.
It's all in the docs:
https://developers.facebook.com/docs/facebook-login/review
I have an app, and I can write to user's walls with it, having requested the publish_stream permission when they sign in.
I've also created a page and a group, and would like my app to be able to write to those. (Specifically, I want my back-end server to post some updates to those periodically, without a user being involved.) The ability to do this seems to be implied by the descriptions of the /feed parts of those here https://developers.facebook.com/docs/reference/api/page/ and here https://developers.facebook.com/docs/reference/api/group/ . However, I can't seem to find a way to authorize the app to write to these pages. Those docs say it can be done if you have publish_streams and manage_pages. OK, but how do I grant those to my app?
In the user case, you request those permissions when the user signs in via the OAuth flow. However, the page and the group never sign-in, so there's no way for them to grant the app permission. I looked around the settings pages for the group and the page, and couldn't find anything that will let me add the app. So how do I give the app the required permissions to post to the group and the page?
Found it!
http://developers.facebook.com/docs/reference/api/application/
http://developers.facebook.com/docs/howtos/login/login-as-page/
"Application Page Access Tokens
To perform the following operations as an Application Page, and not the current user, you must use the Application's Page access token, not the user access token commonly used for modifying Graph API objects nor the Application access token. This access token can be retrieved by issuing an HTTP GET to /USER_ID/accounts with the manage_pages permission. This will return a list of Pages (including Application profile pages) to which the user has administrative access, along with an access_token for each Page.
Note: Applications that are configured as Native/Desktop apps will not be able to make API calls that require an application access_token."
So:
I went to http://developers.facebook.com/tools/explorer/ and, as me, created an access token with "manage_pages" permission.
I then went to https://graph.facebook.com/$myname/accounts?access_token=$accesstoken
and it gave me a list pages and apps that I had given permission to. I copied the access_token from the relevant page, and pasted that into my code, so that the server-side create event code always used that access token.
And it worked!
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
I am creating a web application that is trying to use "public" Facebook content.
It is not your traditional "Facebook Application" because I'm not actually signing up Facebook users to use it, but the users will be all server-side.
I've come to a point in which I am having to use an "access_token" for certain "public" pieces of content and I have been able to generate a app access_token but this does not work for the public data I'm interested in accessing.
access_token's created via
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials
do not work for
https://graph.facebook.com/chickfila/notes?access_token=CODE_FROM_ABOVE
which is publicly accessable w/o login here...
http://www.facebook.com/ChickfilA?sk=notes
Any way to give an app itself a user-level access_token?
I had a very similar problem with publicly available event data. What I had to do was to create an offline access token for the admin of the application.
So, log in with your admin and open the following URL (replace APP ID with your ID and eventually you need more permissions, but read_stream and offline_access should do the trick):
https://graph.facebook.com/oauth/authorize?client_id=APPID&scope=offline_access,read_stream&redirect_uri=http://www.facebook.com/connect/login_success.html
This will give you a code, that you will paste in the following URL (with your APP ID and SECRET):
https://graph.facebook.com/oauth/access_token?client_id=APPID&redirect_uri=http://www.facebook.com/connect/login_success.html&client_secret=SECRET&code=CODE
This will give you an access token that should work forever (or until you change your password).
Recently I used the access token freely available from the Facebook Graph Explorer which will let you browse different graph resources and will let you specify what permissions you need. For this you can tell it you want offline_access and that token can be used to pull this information whenever it is needed without worrying about your token expiring.
Create an user just for your app and let the user authorize your app and get the access token and use it for this kind of data fetching. Some manual work but as long as you have some user authorized access token you should be able get the public contents.
After I add a permission, the user has to remove the app and add it again, in order to grant new permission. The weird thing is that when I request a permission that the user hasn't approved, I don't get an error, but rather only an empty result set.
How do I check if the user approved a permission?
It is quite simple as you can just use the openn graph API to get that information
https://graph.facebook.com/me/permissions?access_token=....