why do I get "Invalid appsecret_proof provided in the API argument" - facebook

Since the latest change on Facebook, regarding the appsecret_proof: https://developers.facebook.com/docs/reference/api/securing-graph-api/, we are still unable to download performance reports even after enabling/disabling features from Advanced Settings in our app, or apply the code as described in their document.
We are constantly getting this error:
{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}
and I've open a confidential bug but no one returns to me with an answer.
I really don't know what more could we try?

The error is (based on my experience) almost certainly correct; it means you're proving an invalid appsecret_proof with your API call
Assuming you're using the standard PHP SDK without modifications, the most likely reasons for this are:
You configured the wrong app ID in the SDK code
You configured the wrong app secret in the SDK code
You're trying to use an access token from the wrong / another app

Another potential cause of the "Invalid appsecret_proof ..." error, is a user access token that is not associated with an app. If you are generating a user access token using the graph explorer, make sure to select an app from the dropdown on the top right corner. Otherwise, you will be generating tokens that only work within the graph API explorer.
I filed a bug with the Python SDK before I caught my mistake. GUIs are the devil.

No bug in the latest version of the facebook PHP SDK.
You need to create appsecret_proof as per the docs:
$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);
then pass it as a parameter to your api call.
See the docs here: https://developers.facebook.com/docs/graph-api/securing-requests/
Once I did this all was good and I didn't have to hack base_facebook.php

There is a bug in the Facebook SDK. After 20 hours of trying everything to debug my own code (which had no issues!), I commented this out in base_facebook.php:
/* Commented out by SJ
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
*/
And all the problems went away!

This is error is because of in correct token. It may be because you are using different account for configuring web app and mobile app for Facebook configuration. Both accounts should be same.
The app ID must be the same for your mobile app and your web app.

This error is the result of setting incorrect access token. For e.g posting to page album using a user's(admin's) access token. I have solved this error almost all the times by setting the proper access token

If this error is unexpected behavior, you may have checked a setting in your app to require it. Uncheck it and you should stop getting that error. That setting is in settings -> advanced and is called "App Secret Proof for Server API calls". Set that to NO.
As of now, that setting is on this page (make sure to put your appId in the URL): https://developers.facebook.com/apps/YOUR-APP-ID/settings/advanced/
Note this is not a universal solution, only a solution for people who don't want that behavior.

For me it was three fixes that made it work
Activate the Secret app and Access to API in the advanced configuration of your app in Facebook for developers. Although in theory it is not needed for me it always prompted that the appsecret_proof was needed even when those two options were off.
When creating the appsecret_proof, the access_token used to create it should be the same access_token to send in the request, and its the user access_token, my error was that I was using the app access_token. Use the user access_token.
Send the parameter appsecret_proof as appsecret_proof, not as app_secret_proof. A minor detail but happened to me.
Extra:
For python you can create the appsecret_proof like this:
import hmac
import hashlib
facebook_app_secret = '<your_app_secret>'
facebook_access_token = '<your_user_access_token>'
appsecret_proof = hmac.new(facebook_app_secret.encode('utf-8'),
msg=facebook_access_token.encode('utf-8'),
digestmod=hashlib.sha256).hexdigest()
print(appsecret_proof)
Gotten from facebook graph api calls with appsecret_proof in python

make sure your setting correct fbappid + fbappsecret
this error happens when those are not set correct
like you have 2 apps one development and one production
and you mess up the codes, double check those two

Just for people having the same problem;
When you set Client OAuth Login to "yes" on facebook, you should give proper Valid OAuth redirect URIs . Otherwise facebook throws exactly the same error.

In my case I needed to set Default Access Token via method: setDefaultAccessToken()
I used token generated in GraphApi dev tool but I did not switch into proper application. It was solved by changing application into proper one and using regenerated token.

I know that this is an old question but I solved mine by changing the Application to the proper application that I should be generating an access token with. E.g. from Project1 to Project2.

Perhaps something wrong with your access token, you need Business Manager style.
You can get the token from the content of https://business.facebook.com/settings/system-users/{sys_user_id}?business_id={business_id} with regex r'"accessToken":"([\d|\w]+)","context"'

Works for me:
$appsecret_proof = hash_hmac('sha256', $facebook_page_token, $app_secret);
WHERE facebook_page_token is the page token stored in my database created when I associate the page to the app.

Problem comes from wrong platform access token.
You should check your dashboard which you preferred to API and check your access token where it comes from.

Related

ckWebAuthToken retrieval via postMessage using CloudKit Web Services

I am trying to retrieve a web auth token for CloudKit using their web services and postMessage API token. According to Apple's documentation, token should be returned as part of "data" object through the message callback, but all I am getting is the ckSession variable. It seems like documentation is wrong, or I am missing something.
Is there any additional API which should be called to retrieve the web auth token after this step? I tried being naive and passed ckSession to record listing APIs but that doesn't seem to work. Also, if I use a different token retrieval method, like custom URL scheme, for example, token gets retrieved correctly. This issue seems to only be related to postMessage option.
"Allowed origins" is set to "all domains" and I'm calling auth API from localhost. I am running Windows 10 and am using Chrome browser (if it means anything here, probably not).
It seems like someone had the same issue a couple of years ago and it was posted on the Apple forums, but it hadn't got much love back then.
Any help would be greatly appreciated. Also, I can provide more information, if needed.
As I understand it, you can only obtain the web auth token (ckWebAuthToken) via the front-end JavaScript API. It should be returned after the user signs in with their Apple ID. You could then POST that value to your back-end app and store it somehow (probably as a session variable).
You can read more about getting the web auth token on this page.
If you have since learned more about solving this and know more than I do, I'm all ears. :)
Likewise, I never managed to intercept the ckWebAuthToken with the postMessage method. I suspect it can be used only with the sign in button generated by setUpAuth in the JS SDK.
So instead I redirected to a page of mine hosted somewhere, where I grabbed the token from the query string and sent it to my host app, all in JavaScript. Clunky but it worked! :)

Facebook Marketing API: Requested URL returns Object w/ ID does not exist, but works in browser

This one is a little odd. I am making a request that has been made many times before, but for some reason is being denied. However, it is only being denied from postman/arc and from my server. If I paste it in the browser, I get the list of campaigns just like I would expect.
So this works in the browser:
https://graph.facebook.com/v2.7/act_blahblahblah/campaigns?fields=name,status,objective&access_token=mytoken
But if I try to make a request from cURL or test it in postman or arc I get this error:
Unsupported get request. Object with ID 'act_blahblahblah' does not
exist, cannot be loaded due to missing permissions, or does not
support this operation. Please read the Graph API documentation at
https://developers.facebook.com/docs/graph-api
(Of course, I have replaced the real ad account w/ blahblahblah for this example).
The token is valid AND I made sure that the account ID is listed in advanced settings. This has worked in the past, so I'm not sure why I am getting it now. Any ideas?
It actually was a token issue, but just not one I could tell right off the bat. I am using an extended token that works, but needed to be refreshed after a change was made. So I got a fresh token, extended that, and tried it with the new extended token and it works just fine now. Just remember kids, if in doubt, get a fresh token. You too self. You too.
The graph API explorer is helpful in testing access token issues.
https://developers.facebook.com/tools/explorer/
Also, most access tokens expire quickly, and if you need a permanent token for a prod environment, i would recommend looking at system user tokens.
https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/

Facebook Login Flow, helping understand me the need for the debug token call?

I'm doing a facebook app and I've followed the custom login flow instructions and I have a question on the last step:
1) I start by doing a call to /dialog/oauth to get a login code.
2) With the code I will request an access token, by hitting the graph.facebook.com/oauth/access_token and that's fine as well.
3) The instructions now say I should validate the code and token to make sure they are from the sources that requested them.
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
My questions are:
What is the input_token in my scenario?
Do I need to do this in my flow? And why if yes?
If I just pass the same value(access_token) in both parameters I get a valid anwser but I don't know if this makes sense.
Thanks in advance.
This question has already been asked: how to verify facebook access token?
And: Verify Facebook Access Token for specific App
And: verification code example
It's simply a unit test to see if your code is still valid (to catch a bug early so it can't do any big damage).
If the access token is not valid, you can for example show a message to the user that there is a bug etc.

Facebook Event Search - Access Token

A while ago I had written some code that searched Facebook events using the api. I've been trying to revive that code but have been unsuccessful. The main difficulty I see is that is that searching for public events now seems to require an access token. The documentation (https://developers.facebook.com/docs/reference/api/event/) says that shouldn't be the case until July 5th but, the sample event search for me (https://graph.facebook.com/search?fields=name&q=conference&type=event) returns nothing if you don't have an access_token.
So I got an access_token for my application using the facebook php sdk $facebook->getAccessToken(). The problem I am now suffering is this seems to be the wrong type of token. It doesn't work to return any events and the query when posted into the url bar doesn't get anything, but if I switch it an access token generated by a learn graph api link the query works in the url bar (but not from my site annoyingly enough). The type of access token I'm getting from the app is basically | and that is the type that is not working for the event search.
I am basically looking for any advice I can get. How to get an access token that the event search will accept would be helpful. I also find it weird that I can do an event search using the url bar but, the exact same query through my app returns an empty array. So basically anything that can shed some light on my problems would be great.
UPDATE:
I got everything working except that it still requires a user access token rather than an app access token (or none). My other problem was caused by an oddity in the php sdk and I was able to solve it by just doing the curl queries myself.
I have the same problem, at this moment I'm using the access token the graph API explorer (https://developers.facebook.com/tools/explorer) uses when my app is selected (I think it's the users's token so the app can beave as the user, and since it's my access token it's not a big deal).
But this raise another problem: I think the token gets invalidated by logging off from FB or anything similar.

No details for authentication in Authlogic & Facebook Connect

After following the guide to add Facebook Connect to an Authlogic-enabled Rails app (see http://github.com/kalasjocke/authlogic_facebook_connect), I get the following error when I click on the Facebook's "Connect" button:
You did not provide any details for authentication.
It seems that UserSession.create(params[:user_session]) is trying to authenticate with the standard user and password, but the only params available are the authenticity token.
What additional configuration am I missing?
UPDATE: I've made some discoveries. First, the cookie is named fbsetting_{api_key}, instead of fbs_{api_key} (which is what Facebooker expects), for some reason related to API version. Also, the contents of the cookie don't seem to be what Facebooker expects. I don't know if there's a way to select a specific Facebook API version to prevent this from happening.
Having similar issues here. Lots of the options on http://facebooker.pjkh.com/fb-init-options/app_settings_demo_ifuser work nicely for me, but authlogic facebooker out of the box does not work.
UPDATE: It was my app settings on facebook itself, meant authentication was never being setn back to my site... removing site domain sorted it.