On my site I ran some PHP scripts that imported Gmail contacts using Oauth 2, a few months ago it stopped working without me changing anything. Something must have changed with Google API and/or policy, can someone help me identify the problem ?
The initial url request looks like this (replaced my domain with example.com):
https://accounts.google.com/o/oauth2/auth?scope=https://www.google.com/m8/feeds&state=whatever&redirect_uri=http://www.example.com/import/gmail-callback&response_type=token&client_id=293090831245.apps.googleusercontent.com&approval_prompt=force
That prompts the user to accept/decline access to their data (looks good), once user accepts, it is redirected back to my site, here I make a request to get user's contacts based on the received token:
file_get_contents("https://www.google.com/m8/feeds/contacts/default/full?access_token=".$_GET['access_token']."&alt=json&v=3.0&updated-min=2004-03-16T00:00:00&max-results=3000");
But Google now replies with
HTTP request failed! HTTP/1.0 403 Forbidden
Any tips ?
I found the answer, some changes in Google Developer's console set the contacts API to OFF by default.
It worked after I logged to developer console and enabled contacts API:
Related
I have a mobile app that allows logging in with facebook, when a user logs in I pull their email from the graph api but I just got a couple of logins with email addresses with #tfbnw.net domains which I guess is for test users while developing on facebook. I didnt generate these so is this someone doing something shady to login to my app or just expected behavior for some users given their settings?
Mobile app coded in react-native, using expo
Those seem to be the internal facebook QA team going through your APPs and manually checking if you're following all facebook's guidelines.
Facebook auditing your app basically.... or at least they did to mine because right after those #tfbnw.net email registrations came in, I checked my facebook app settings and sure enough, I got an alert and an email shortly after. But never received those #tfbnw.net emails before today on any other facebook logins.
I have checked my account and it looks like a generic test user Open Graph Test User gets created automatically, according to which product you enable in your app. It gets created for example, if you enable facebook login or messenger platform.
not something shady IMHO
I'm trying to implement signin/-up via facebook, but do not receive email address on request. Sure, I've grabbed the email permission before, but no success.
So I tried with FB Graph API Explorer and again my private account. Yes, access token with email permission, but no email will be delivered, instead "Field is empty or disallowed by the access token".
Access token? Just created, with email permission.
Empty? How could it be, when it is required on signup?
Using a different account of a friend, worked like a charm. Could it depend on my account settings?
Even if the permissions are given, a user can turn Platform off in the Apps Settings. Check the settings and permissions your App is showing, here: https://www.facebook.com/settings?tab=applications§ion=opt_out&view
If its alright, you can follow this discussion: Register with Facebook sometimes doesn't provide email
Thanks for answer. I spent a lot of time to figure out what is going on. It seems, that my email address caused the problem, which is facebook#mydomain.com. After changing to a different one, without facebook in it, I get response as expected.
I have the following use case
My application on iOS is using the FaceBook iOS SDK to authenticate with FB
The application then make a REST call over https to my server to register the FB account to their service account (the service I am offering)
In step 2 the client is sending the FaceBook UID.
My problem is that the server has no FB integration so has to reply on the client sending the right FaceBook UID.
So the problem is obvious, a hacker can attach someone else FaceBook account to their service account .
What I would like is for the server (Java) to be able to validate that the user who is sending the request owns the Facebook UID in question.
I have been searching online and cannot find anything that I think will work.
I came across a vague post about using the FB signedRequest field, this could be passed to the server to validate the user.
Any idea would be appreciated.
Here is a thought:
Once you authenticate the user in your iOS app, get the access_token, and pass only this in your REST call to your server.
On the server side, make a request to https://graph.facebook.com/me?access_token=... using the access_token that you transmitted. If the access token is valid, you will get all the the user's data proving that you have a valid, authenticated user.
If you wanted to be extra sure, you can also request http://graph.facebook.com/app?access_token=... to be sure that the access token was created by your app.
I'm trying to get an auth token for a user using OAuth.
Everything works fine and I'm getting the token wonderfully when the users tries to access the app using HTTPS, meaning from https://apps.facebook.com/APPNAME . However, if the user is coming from HTTP (which most users are) I get a 400 error from facebook when trying to get:
https://graph.facebook.com/oauth/access_token?code=XXXXXXXX-XXXXXX-XXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYYYYYY&redirect_uri=https://fb.myapp.com/fb_connect/&client_id=ZZZZZZZZ
{
"error": {
"message": "Error validating verification code.",
"type": "OAuthException"
}
}
Why is this happening?
We have experienced a similar issues since Facebook began to require SSL certificates on apps.
OAuth 2.0 works correctly with PHP SDK 3.1.1. If you are using earlier versions, go to GIT HUB and upgrade.
However, even with 3.1.1, signed requests return NULL from http:// when Facebook users have not enabled secured browsing.
Solution is to 1. use javascript to add a redirect at the top of your script or 2. add a (a href =https://your app url*) link somewhere.
There is a major flaw in FB as all of FB links in the left side page menu are http:// when user has not enabled secured browsing.
I had the same problem but I found out that it was because the user did not confirm the e-mail address yet. So you won't get any token for a new user that has not confirmed his email address. Just in case, I thought it was useful for this topic.
A problem for me with the "Error validating verification code" were the redirect_uri.
Between the request for user authentication (returnung the code) and app authorization/authentication should be the same.
We are getting troubles using Facebook Connect Graph API within a SharePoint Portal, We are facning problems while getting Access_token from cookie.
before, it was gotten from cookie and It did not come encripted like 'AAAD4Ta4Jx2MBANUYTxUZCAj6vgwON1SmgUZCpyYZAFDPj9eN679kaTuG7' but one week ago the code we get comes with that extrange format and it is not possible to get info of the user.
now, we have changed the way that we get access_token bye sending the encripted code to https://graph.facebook.com/oauth/access_token?... but we always get a bad request.
Could you please indicate us. what have changed in this API recently, why did it use to work before and not now.
Facebook is now sending encrypted access tokens as part of their switch to SSL and Oauth2.0. This is mentioned on their Facebook Roadmap. They work just like normal tokens. Use that token to call /me to get the users info, as you can't parse the user id from the token anymore.