How to revoke a given Facebook token? - facebook

I'm using OAuth authentication to obtain a token from a Facebook user. My application edits - among other stuff - their Facebook pages. With that token I obtain a permanent token.
The user can unlink its Facebook account from my app. When a user does so, I like to invalidate the token and remove my app from the users apps. It this possible?

Have a look at https://developers.facebook.com/docs/facebook-login/permissions/v2.0#revoking You can use
DELETE /{user-id}/permissions
to revoke a user's login to your app.
Furthermore, there's a section in the app's -> settings -> advanced screen where you can specify a so-called "Deauthorize Callback URL". This URL will be called by Facebook if a user actively disconnects your app from his profile settings. Unfortunately I can't find any docs on Facebook concerning this anymore. But there's a question about that here on SO: Facebook user deauthorizes the app

#tobi solution didn't work for me, I had to pass the access token.
DELETE /{user-id}/permissions?access_token={access_token}

Related

Do review required if we want to get Facebook Page like count (Without Facebook login) by Facebook app token?

I am doing a static web page in my website, in which I am showing the like count of particular Facebook page. There is no kind of login required to see this web page. Also, I don't want to user to login with their Facebook account to see the Facebook page like count.
I have implemented this requirement by using Facebook app token.
API: "https://graph.facebook.com/PAGE_ID?access_token=APP_TOKEN"
But the problem here is, If I use the app token of already approved app by Facebook with some permissions (manage_pages) exists, it works. It is not working for the app token of newly created Facebook app.
I have sent the app for review to Facebook by requesting manage_pages permission, but they rejected the app and said that my website doesn't have the Facebook login functionality implemented.
Since it is not documented clearly, I have a doubt that do the app need to send for review if I want to get the Facebook page like count without Facebook login (By using Facebook app token)? If yes, what permission do I want to request?
Any help would be much appreciated.
First of all, you need to learn what Tokens there are:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
For your problem, you can just use an App Access Token. There is no need for any permission or Login Review, the links above tell you exactly how to create one. Make sure you never use the Token on the client, especially because it includes the App Secret. Do the API call on the server only (file_get_contents or curl, if you use PHP).
If by "it does not work" you mean that you only get the id and the name, then it´s not about "not working", you need to read the changelog and search for "Declarative Fields": https://developers.facebook.com/docs/apps/changelog#v2_4
So if you want to get more than just id and name, the API call would be like this: https://graph.facebook.com/936299239766048?access_token=YOURAPPTOKEN&fields=id,name,likes,...

IOS SDK Facebook SSO - User logs out from Facebook outside app?

The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.

is it possible to access user's wall info without passing his/her access token?

I wonder is it possible to access user's wall info without passing his/her access token?
for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.
Because I found some topics similar to that.
http://forum.developers.facebook.net/viewtopic.php?pid=9172
When I check Rest FB doc,it says like that.
http://restfb.com/javadoc/index.html
public DefaultFacebookClient()
Creates a Facebook Graph API client with no access token.
Without an access token, you can view and search public graph data but can't do much else.
I doubt that it will work or not without access token.
can everyone share me ideas or any possible similar approaches ?
Thanks.
You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)
Without token you can only access public information.
Public data
From RestFB homepage :
// It's also possible to create a client that can only access
// publicly-visible data - no access token required.
FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();
If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.
Private data
When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :
FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.
Get the user token
You cannot get the user token with RestFB. On the RestFB homepage, you can read :
Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens
Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).
What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.
Hope that helps !

Is it posible to change the scope of your Facebook Connect website?

I'm building a Facebook app with Facebook login via Oauth 2.0. Will it be possible to request more permissions (scope) from the user in the future as we add features or do we need to request them all up front?
Anyone implemented this with Facebook Connect?
From my experience, you can add permissions later and it'll prompt the user to accept those permissions. For my app, I started with just basic/email permissions and then added photo... and it would prompt for the photo.
You can call Facebook's permissions api (https://graph.facebook.com/me/permissions?access_token=...) to see if the user has authorized the permission you will need (perhaps they later when in and revoked part of your apps permission but not all of it). If they did, or you just later need different permissions, just show the authorization link like you did the first time with the additional permissions listed in the url (&scope=email,read_stream...) and it will prompt them for those.

How can I avoid asking users to login (connect) to my facebook app again and again?

I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.