Facebook API fails and Graph works. Why? - facebook

I have a Facebook app that works fine when I call $facebook->api('/me'), it returns all the user information, but it fails when I call $facebook->api('/100006737731259'). The error I get is:
array("error" => array("message" => "Unsupported get request.", "type" => "GraphMethodException", "code" => 100))
And the strange thing is that if I open my browser and go to http://graph.facebook.com/100006737731259 it returns all the information with no problem (it is one test user for my app).
Have you ever had a problem like it? I do not know what can I be doing wrong.
Thank you very much

When call this API for test user, you can put empty access token OR just don't put access_token parameter at all, then you can solve it.
If you really want to put the access_token, there's the rule you have to follow:
Prohibited access_token:
Normal user's access token
Other app's test user access token
Other app access token
Allowed access_token:
Test user's access token(Either the test user is current app's other test user or this test user 100006737731259, both is allowed!) retrieved from https://graph.facebook.com/APP_ID/accounts/test-users?installed=true&name=TEST_USER_NAME&locale=en_US&permissions=read_stream&method=post&access_token=APP_ACCESS_TOKEN (Replace the relevant APP_ID, TEST_USER_NAME, and APP_ACCESS_TOKEN)
Current App Access token
*APP_ACCESS_TOKEN can be retrieved from https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials (Replace the relevant APP_SECRET)
**App Secret can be get from https://developers.facebook.com/x/apps/APP_ID/settings/ (Replace relevant APP_ID)
The proof is, if you request with other user access token, https://graph.facebook.com/100006737731259?access_token=PROHIBITED_ACCESS_TOKEN at web browser, you would get error eventually.
But if you do https://graph.facebook.com/100006737731259?access_token=Allowed_ACCESS_TOKEN OR https://graph.facebook.com/100006737731259?access_token= (left the access_token value empty) with your web browser, then you can get the data.

This is a problem that only occurs with test users. I don't know why, but it is. If you use a real user, this will not happen.

Related

Get friends of a User using Facebook API

I am facing a problem in fetching the friends of a user. The following code is working fine when "me" is passed as an UID. But it doesn't work when a user id is passed like 523621551. Every thing is set in the permissions. And i get the "Unsupported operation" error. Following is the code.
public function getAllFriends($uid) {
return $this->fb->api("/" . $uid . "/friends", 'GET', array(
'access_token' => $this->fb->getAccessToken())
);
}
So, what is causing this problem?
I also studied other related questions but those didn't help. :(
You can´t get the friends of ANY user, you can only get the friends of the user who is authorized at the moment. The docs are a bit misleading, it may only work with the (app scoped) user id of the authorized user, but it will never work with any other user id - that request is "unsupported" ;)
Also, you can only get the users who authorized the same App too, just in case you don´t know yet. See changelog: https://developers.facebook.com/docs/apps/changelog
Edit: I just tested it with an App Scoped ID in the API Explorer and it works, so i assume you are trying to get the friends of another user as i expected - which is not supported, of course.
I also tested it with the "real" ID of the authorized user and got the following error:
The global ID 1603196280 is not allowed. Please use the application
specific ID instead.
Makes sense, you would not get the global ID in the App anyway, only App Scoped IDs. As i said, the error you get is not very clear but correct: Getting the friends of ANY user is "unsupported".

Validating the user of an access_token

In the Facebook dev article Manually Building a Login Flow, there is a section entitled "Confirming Identity". It mentions that you need to validate codes and tokens that you receive from them via your redirect_uri.
My question: Since you don't know anything about the user that just logged in, how do you validate that the user_id that you see in the response from the token inspection endpoint is correct?
The article says:
As a result, your app should confirm that the person using the app is the same person that you have response data for before generating an access token for them.
But, how can you actually do that? Are we expected to show publicly available info about that user_id back to the user with a UI that asks "Is this you?". I haven't seen any apps/sites that do that, so I'm assuming that this isn't practically done.
Am I missing something?
You can use FB.getLoginStatus to retrieve information about the logged in user. It returns a response object for the user. If the user has authenticated your application, the response object will look like this:
{
status: 'connected',
authResponse: {
accessToken: '...',
expiresIn:'...',
signedRequest:'...',
userID:'...'
}
}
You can use the UserId returned in this object to verify the user's identity.

Posting on user's timeline on the behalf of the user

I created and APP on the Facebook.
Now I am trying to post a comment on the user's timeline using the Graph API but I cannot undestand what I need to do.
I already authorized the Application (I authorized this permissions: 'user_status,publish_stream,user_photos,email').
If I look on my profile -> privacy I can see that the APP can:
This app can: Post on your behalf
This app may post on your behalf, including status updates, photos and more.
Last data access:
Basic InformationToday
See details · Learn more
Posts on your behalf:
Who can see posts this app makes for you on your Facebook timeline?
Public
Notifications:
When to notify you?
The app sends you a notification
So this part seems OK.
On my application I do the following to try to post somenthing on my timeline (I need to post it when I am off line).
1) GET : https://graph.facebook.com/oauth/access_token?client_id=APPID&client_secret=*APP_SECRET*&grant_type=client_credentials
RESPONSE:
access_token = 422828347771671|UdQELQIf0N7krF4JUo7VwtPLTkk
2) GET: https://graph.facebook.com/search?q=myemail&type=user
RESPONSE:
_"error":_{
______"message":_"A_user_access_token_is_required_to_request_this_resource_",
______"type":_"OAuthException",
______"code":_102
___}
But reading the documentation (https://developers.facebook.com/docs/reference/api/#searching) it seems that this request does not need any kind of access token.
I also tried to add the access token, but the result is still the same.
3) I know my facebookid so I tried to use it directly:
POST: https://graph.facebook.com/100001139132403/feed
ARGUMENT:
access_token=422828347771671|UdQELQIf0N7krF4JUo7VwtPLTkk,
message=Hello
RESPONSE:
"error": {
"message": "(#200) This API call requires a valid app_id.",
"type": "OAuthException",
"code": 200
}
}
So I tried to add client_id=APPID and app_id=APPID, I tried to put one, the other and also both arguments as GET or POST but nothing changed.
I checked the APPId ad it is correct.
Do someone have any idea?
Thank you!
You cant simply generate a user access_token by querying to a URL. What you did gives the App access token and as the error say, you are trying to do something, that needs user access_token.
Refer and implement this : https://developers.facebook.com/docs/howtos/login/server-side-login/
And use that access_token for the rest of the processes.

Facebook PHP SDK: getting "long-lived" access token now that "offline_access" is deprecated

BASIC PROBLEM: I want my app to be able to make calls to the Facebook graph api about authorized users even while the user is away.
For example, I want the user (A) to authorize the app, then later I want user (B) to be able to use the app to view info about user (A)'s friends. Specifically: the "work" field. Yes, I am requesting those extended permissions (user_work_history, friends_work_history, etc). Currently my app has access to the logged-in user's friends work history, but not to any of the friends' work history of other users of the app.
Here's what I know already:
Adding offline_access to the scope parameter is the old way and it
no longer works.
The new way is with "long-lived" access tokens,
described here. These last for 60 days.
I need to exchange a normal access token to get the new extended token. The FB documentation says:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Here's what I don't know (and I'm hoping you can tell me):
How do I get the extended (aka "long-lived") access token using the Facebook PHP SDK? Currently, my code looks like this:
$facebook->getAccessToken();
Is there such a thing as this?:
$facebook->getExtendedAccessToken();
If not, is this what I should be doing?
$accessToken = $facebook->getAccessToken();
$extendedAccessToken = file_get_contents("https://graph.facebook.com/oauth/access_token?
client_id={$appId}&
client_secret={$secret}&
grant_type=fb_exchange_token&
fb_exchange_token={$accessToken}"
);
I've tried it and it doesn't work. I get this error:
Warning: file_get_contents(https://graph.facebook.com/oauth/access_token? client_id=#######& client_secret=#########& grant_type=fb_exchange_token& fb_exchange_token=##########) [function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request in /...
Does it work any differently if I switch to FQL instead of the graph api? I've read through the Facebook documentation many times, but the PHP sdk is not thoroughly documented and I can't find any examples of how this should work.
I finally figured this out on my own. The answer is pretty anti-climactic. It appears that newly created apps get 60 day access tokens automatically. I'm not sure if this is dependent on enabling the "depricate offline_access" setting in the Migrations section of the app settings. Leave it on to be safe.
So at the time of writing this, you can use the PHP SDK as follows: $facebook->getAccessToken();
(The reason my app wasn't working as expected was unrelated to the expiration of the access token.)
Just one more thing, to get long-lived access token using PHP SDK you should call $facebook->setExtendedAccessToken(); before $facebook->getAccessToken();
In the last Facebook PHP SDK 3.2.0 you have a new function setExtendedAccessToken()
that you have to call before getAccessToken();
Like this:
$user = $facebook->getUser();
$facebook->setExtendedAccessToken(); //long-live access_token 60 days
$access_token = $facebook->getAccessToken();
Actually newly created apps only get a 60 day access token automatically if you are using a server side call. If you are using the client-side endpoint as shown above in the question, even new apps will still receive a short-term token initially. see: https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
I had the same HTTP/1.1 400 Bad Request error that you had when using the New Endpoint and the problem was if you copy the code Facebook gives you exactly and paste it into your app, there are actually spaces in between the params, meaning there's unnecessary spaces in the url and it won't get called correctly when passed into file_get_contents() even though it works okay when pasted in the browser. This took me way too long to figure out. Hope this helps somebody! Here is my complete working code to get the extended access token out of the new endpoint (replace x's with your values):
$extend_url = "https://graph.facebook.com/oauth/access_token?client_id=xxxxxxxxxxxx&client_secret=xxxxxxxxxxxxxxxxxxxxxx&grant_type=fb_exchange_token&fb_exchange_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$resp = file_get_contents($extend_url);
parse_str($resp,$output);
$extended_token = $output['access_token'];
echo $extended_token;
The selected answer is now outdated. Here are Facebook's instructions to swap a short-term token (provided in front-end) for a long-term token (server only):
https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/
Generate a Long-lived User or Page Access Token
You will need the following:
A valid User or Page Access Token
Your App ID
Your App Secret
Query the GET oath/access_token endpoint.
curl -i -X GET "https://graph.facebook.com/{graph-api-version}/oauth/access_token?
grant_type=fb_exchange_token
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={your-access-token}"
Sample Response
{
"access_token":"{long-lived-access-token}",
"token_type": "bearer",
"expires_in": 5183944 //The number of seconds until the token expires
}

Retrieving facebook user wall posts through graph API

I'm currently working on a facebook app which captures wall posts for a specified user, page or group, after a user has authorized the app I quote the access_token that is returned to call the method
https://graph.facebook.com//feed?access_token=
this works fine for pages and groups as we only need a valid token, however for users the results are different depending on the relationship between the user who authorized the app the user whose posts are being captured.
For example if there is no relationship between the two users some posts are not returned even though they are public and displayed when you view the profile of the user, however if they are friends more posts are returned.
Can someone please explain this behaviour? And is it possible to obtain all posts using this method?
Yes, per the permissions listed at https://developers.facebook.com/docs/reference/api/permissions the results of the call are different depending upon the relationship.
However when things are public and you use an access token that doesn't belong to the user, then no results are returned. I cannot remember a time when this wasn't this way. For some odd reason (by design or omission on Facebook's part) using the graph API to get at public posts using a user access token just doesn't want to work.
For example, You can see some public items here
http://www.facebook.com/zuck
http://graph.facebook.com/zuck
However, you cannot seem to get any feed from here without an access token
https://graph.facebook.com/zuck/feed
{
"error": {
"message": "An access token is required to request this resource.",
"type": "OAuthException"
}
}
Let's try adding an user access token that does not belong to zuck or a friend of zuck. https://graph.facebook.com/zuck/feed?access_token={UserAccessToken}
And here's what we get:
{
"data": [
]
}
What about an app access token? Let's try
https://graph.facebook.com/zuck/feed?access_token={AppAccessToken}
{
"error": {
"message": "Invalid OAuth access token signature.",
"type": "OAuthException"
}
}
So as you can see, it's difficult to get things via the graph that are not in alignment with your access token.
I manage to get most of the feeds from user's wall post. Although this is a old post, I hope someone can manage to get what they want from my answer.
Before getting the access token(to get the feeds), you need to add multiple correct Read Permissions "keys".
For example, you will have to add "read_stream", and "user_status" (which I found that these are the most important permission "key" to generate the correct access token, to retrieve one's so-called "public" feeds).
You can add more into generating the access token, in either you want the permission to GET, or POST, or BOTH.
Source is here: https://developers.facebook.com/docs/howtos/ios-6/#nativeauthdialog
One thing that I found is, the way to get the feeds result from user's "Home/About" page and Facebook Page (which is created for people to like (not add friends)) are different. The key is mentioned above, "read_stream", and "user_status". So it's better that you add both of the permissions in order to generate the access token to get everything in feeds.
Graph API doesn't return posts to the App if is not authorized to read user feed, even if posts are public.
Source: https://developers.facebook.com/bugs/290004301178437/
According to the latest api ,
FB.api("/me/feed","get",function(response) {//callback})
should do and also work well .
It is working now but facebook may change it in future.