I implement some facebook related stuff and accessing graph api for that pourposes. But for implement Integration testing I need a simple strategy to get access_token. So I create test user for that. How could I get access_token only with server side involved, without including browser in the chain. Ideally I just need to exchange login/password to the token.
Correct workflow loooks like this:
According the correct answer, there is special tests users provided by facebook.
To to be able to tests system properly you need to do the following flow
Get application access token
Request application's tests user's via "GET /{app_id}/accounts/test-users"
Parse response and extract access_tokens for each user from that response.
You can't exchange the login/password for an Access Token, but you can create test users programmatically. Have a look here:
https://developers.facebook.com/docs/graph-api/reference/v2.0/test-user
https://developers.facebook.com/docs/graph-api/reference/v2.0/app/accounts/test-users
How to get an access token with the right permissions for a test User
https://developers.facebook.com/docs/graph-api/reference/v2.0/user/permissions/
Short answer: You canĀ“t.
Server side you can only get an App Access Token, Page Access Token or extend an existing Access Token.
So it depends on what you need to achieve, if you just want to get public stuff from a Facebook Page, even an App Access Token may be good enough. But you cannot create User Access Tokens server side.
It may be possible with real test users created via the Graph API itself though, see Tobis answer for links about that. But it is definitely not possible with username/password.
I have created an application on developers.facebook.com from my profile. Get APP ID, APP SECRET and generate TOKEN. Now, when I send the request like
https://graph.facebook.com/search?q=media&type=page&access_token=MY_TOKEN
is ok, but when I try to send the request for GROUP, like
https://graph.facebook.com/search?q=media&type=group&access_token=MY_TOKEN
I get the error
The remote server returned an error: (403) Forbidden.
Seems I have permissions problem. I set the permissions friends_groups, user_friends, user_groups to the account, but.. still the same error...
Can you please tall me what am I doing wrong? Maybe I need a different token?
As I understand you're using an App AccessToken for an endpoint (object type) which needs a user AccessToken. See the docs at https://developers.facebook.com/docs/graph-api/using-graph-api/#search
It's stating
"All Graph API search queries require an access token included in the request. The type of access token you need depends on the type of search you're executing.
Searches across Page and Place objects requires an app access token.
All other endpoints require a user access token."
Let's suppose there is a website which wants to post on Facebook in the users' name. First, when the user is linked to Facebook, he will have an access token and read access so he can log in with Facebook to the website, for instance. On a given event, the user will have write access on Facebook with the access token.
After a while, the Facebook access token expires (as it seems, but if there is a way to create Facebook access tokens which will never expire I would be glad to hear about), so on the website whenever a post to Facebook is about to be made, a request has to be sent to Facebook to check the validity of the access token. If the access token is invalid, then a redirect is needed to Facebook where a new access token is generated, then Facebook redirects back to the page.
I think there are no permanent Facebook access tokens. If there are permanent Facebook access tokens, how can one create them?
If a Facebook access token expires, is there any other solution to the problem than redirecting to Facebook for access token generation and redirecting back?
EDIT:
Here: https://developers.facebook.com/docs/opengraph/howtos/publishing-with-app-token/
I have read the section with the title of "Making API Calls to Publish with an App Access Token".
It states that I need the user's FacebookID and the publish_action privilege granted by the user to be able to post in their name on Facebook. However, I am puzzled about the way I can get the user's FacebookID and how the user grants the website publish_action privilege. Also, this section mentions that
"You will be unable to retrieve information about the status update post with the given ID using the app access token. Instead, you should use a user access token for such purposes."
I do not really understand what information is impossible to be retrieved with this possibility. I do not really understand the cause of inferiority of this strategy compared to the strategy with access tokens.
The short answer is yes, you have to redirect to Facebook (or use the Javascript SDK) to get FB to give you a new access token. If the user is already logged in to Facebook and hasn't deleted your application, then the process will be mostly invisible to your user.
You can, however, extend the length of time you're allowed to use your access token from 1-2 hours to a much longer period (I can't find the time reference, but I seem to remember it being a 3-6 month period). You can read about that process in the Access Tokens Documentation.
edit
First, you have to understand the difference between an App access token and a User access token. An app access token is a very simple token that facebook uses to verify that your app is making a request that you intended it to make. Your app access token consists of your app id and your app secret as a string and separated by a | character. This token doesn't grant you access to any user information, and isn't really usable for a whole lot of things (it's basically used for the authentication methods to ensure that when you request the token, the request is coming from you and not some 3rd party masquerading as you). Though, like you found above - you can also use it to make posts to the user's feed, providing they gave you access.
A user access token identifies an actual user, and their session, to your application. The user access token typically lasts a couple of hours and then expires. You can exchange this token for an extended access token which as I stated above, I believe to last for several months.
A user token (either the temporal 1-2 hour version, or the extended version) allows you to access the FB graph API as the user to which the user belongs. So, using these tokens you can access the user's friend list, photos, likes, interests, etc (presuming you requested permission to do so upon application install). You can check which permissions you have by using the user access token and making a request to /me/permissions on the graph api.
The Javascript SDK is unique, as it doesn't require you to redirect your user away from your application. The JS SDK allows you to use a pop-up to allow the user to authenticate with facebook, install your application, or to allow (or deny) permissions that you are requesting.
The FB.login method takes 2 parameters. Parameter 1 is the callback which is executed after the user responds to your authentication prompt (either by accepting or rejecting your application install request). Parameter 2 is for options which are passed as a javascript object, the only one of which you care about here is the scope parameter. The scope parameter is the way you ask for extended permissions (such as publish_action) so in order to acquire the publish stream permission from a user you use code that looks like this
<script type="text/javascript">
FB.login(function(response)
{
//check to see if they accepted or rejected, and do something
}, { scope: "publish_action });
</script>
Once the user accepts, any subsequent calls to the FB JS SDK will automatically include your user's access token, you don't have to manage it yourself. You can make calls to the graph API on behalf of the user without having to explicitly specify the user's user id - you can just reference them as me. So, for example, you could publish to your user's feed via the JS SDK like so:
<script type="text/javascript">
FB.api('/me/feed', 'post', { message: 'test!' }, function(response)
{
//do things
});
</script>
However, if you'd rather make calls to the Graph API from your server on behalf of the user to publish to their feed (or your needs require you to do so), you'll have to store the user's FB User ID along with your user data so you can access it later. That User ID is available in the argument that is passed to the FB.login callback (response.authResponse.userID). Once you store that, you'll be able to make Graph API calls on behalf of your user from your server simply by POSTing to /<user_id>/feed with the appropriate data:
$ curl -d "message=test&access_token=<app_access_token>" /<user_id>/feed
Finally, re-authenticating your user. THE FB JS SDK exposes 3 methods for authentication.
FB.getAuthResponse
FB.getLoginStatus
FB.login
The primary difference between FB.getAuthResponse and FB.getLoginStatus is that getAuthResponse waits for a response from Facebook before any further javascript is called (it's blocking, or synchronous). FB.getLoginStatus will allow other javascript to run and will call your supplied callback when it gets a response, allowing you to do other things while you wait for a response. Either of these methods can be used to determine if your user is currently logged in to Facebook and if the user has your application installed. You can then use FB.login (if they're not logged in to FB, or not users of your app) to prompt them to login, or install, so you can access their information. Both of these methods pass you back the user's access token if they're installed and have authorized your app (response.authResponse.accessToken).
FB.login does a check for the login status of the user, but it always will pop up a login/install dialog, regardless of the status (and if they're logged in/installed, it will hide the pop-up immediately). The FB.login method is also used if you need to request additional permissions from the user (Say you just get a "vanilla" install at first, and then later the user says they want you to post to their feed. When they initiate that option, you can then request the extended permission from them). In order to utilize that functionality, you use FB.login just as you would if they were a new user, except you add the extended permissions that you want/need in the scope property of the options variable you pass as the 2nd argument.
tl;dr
Use FB.getAuthResponse or FB.getLoginStatus to determine if your user is logged in and has your application installed. These methods can also be used to fetch new access tokens as your user is using your application.
Use FB.login to get new/unauthenticated users to install your application.
Once your user logs in, fetch their user id and store it your database somewhere. This can be used to post on their behalf with your app access token once you acquire the publish_action permission from the user
If you want to store a long-lived user access token to access the user's profile and other information, later, use the link above for exchanging your user access token for an extended access token. This is a server-side process, and you can store the resulting access token in your database with the user's other credentials.
Sorry this so long and wordy - I just wanted to provide you with some solid information about access tokens, how they're used, and how to use the JS SDK to maintain them. Hope this helps.
If anyone is familiar with the fql query, why am I getting this error for the next query:
https://api.facebook.com/method/fql.query?query=SELECT%20post_id,%20actor_id,%20target_id,%20message%20FROM%20stream%20WHERE%20source_id%20=%20302056140380%20AND%20updated_time%20%3E%201111111
This is the page:https://www.facebook.com/Inna?sk=wall
All I want to do is to retrive the last posts from Inna's wall.
Thank you very much;
You need to provide a valid access_token with the FQL request even though the data is public. You can test it here. You won't need to have any permissions granted to access the feed, but you will need to provide the token.
You will need an access_token of type "Any Valid" as defined here. In short, it means that you can use any access_token that hasn't expired. One easy to obtain access_token is an app access token which you can obtain by going to:
https://graph.facebook.com/oauth/access_tokenclient_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
You will find YOUR_APP_ID and YOUR_APP_SECRET under your created apps page (or you can create one there if you don't have one).
When you provide the app id and secret to the oauth, you will receive an access_token which you can use for the request until the token expires.
Facebook changed their Graph API recently to require an access token. Therefore I quickly made a Facebook application to be able to retrieve an access token, use a URL similar to the one below, generated my access token and implemented the token in my iPhone application. Lately I have been thinking about if I have done something wrong. Should I request the access token everytime a user of my application retrieves data from the Graph API? I am starting to doubt whether or not the access token is unique to each user or just to the Facebook application.
Can I hardcode an access token into my application or should I make a request on the URL below every time I need to retrieve data through the Graph API?
I am generating my access token with the following URL:
https://graph.facebook.com/oauth/access_token?client_id=MYID&client_secret=*MY_SECRET*&grant_type=client_credentials
Access token granted by user have expiration time. If token expired then you need to request it again. But if you ask user to grant you "offline_access" permissions then you'll have almost not limited access token. You can store it in database or file and use next time.
Here FB documentation about permissions:
http://developers.facebook.com/docs/authentication/permissions/
Enables your app to perform authorized
requests on behalf of the user at any
time. By default, most access tokens
expire after a short time period to
ensure applications only make requests
on behalf of the user when the are
actively using the application. This
permission makes the access token
returned by our OAuth endpoint
long-lived.