I have implemented a server-side login flow for a facebook page management application to allow my users to grant the necessary permissions to this application. So far, this works nicely and allows my application to obtain a "page access token" after being granted the manage_pages permission.
However, during the login flow, the facebook UI on facebook.com requests both the manage_pages permission (which is what I asked for) and the permission to see the list of friends of the user (which I did not ask for).
To be specific, I redirect the user to https://www.facebook.com/dialog/oauth?client_id=...&redirect_uri=...&state=...&response_type=code&scope=manage_pages.
Is there a way to convince the facebook UI to not request permission from the user to see his list of friends ?
For reference, since I spent a good amount of time researching an answer to that question, I believe that it is impossible to explicitely not request permission from the user to see his list of friends. The Facebook documentation hints at this by stating that these are the "default" permissions that every application gets.
Related
As i understand, i need to validate my person, wait for my app review etc.
But what if i just need to post only on my page and nowhere else? Someone told me that i just have to be an app and page administrator and i even can leave app in dev mode but it didn't work for me. In all cases i just recieve
If posting to a group, requires app being installed in the group, and either publish_to_groups permission with user token, or both manage_pages and publish_pages permission with page token; If posting to a page, requires both manage_pages and publish_pages as an admin with sufficient administrative permission
Is it any way to skip all these checks and use API for posting? If not, can you tell me some free services i can use to reach this with? Much thanks for answers.
If you are posting to a page (any page) you need a token with manage_pages and publish_page.
You can generate a test token using the explorer: https://developers.facebook.com/tools/explorer/ - but this token is short lived (1h)
Using the short term token in the explorer, you can get a list of your pages (endpoint: /me/accounts) that you manage and that list will contain a page_token for each page you manage.
With that page_token you can post to the page.
You can put the page_token into the Access token debugger to see it's permissions.
https://developers.facebook.com/tools/debug/accesstoken/
You need approvals if you are putting the app live and allowing non-developers access to it.
I'm trying to connect to a Facebook app that is requesting following permissions:
Access profile and posts from instagram business connected to your page
access insights for the instagram business connected to your page
** manage your pages**
show a list of pages you manage
access your page and app insights
The purpose of the app is to compile post and profile insight stats. If that is the case, why does it need "manage your pages" permission, which gives permission to manage/post/change my page settings?? Or is that legitimately needed just to analyze insights?
https://developers.facebook.com/docs/graph-api/reference/v2.12/insights#reading
Reading page insights requires a page access token, and the only way to get a page access token is to have a page admin grant manage_pages permission to the app first.
manage_pages is the baiscpermission to grant an app access to anything related to a page.
So yes, that an app that analyzes your page insight data asks for this permission, is legit. Of course you will have to trust it, that it won’t abuse it for anything else.
It won’t be able to post in your page’s name though, that would require publish_pages permission as well.
I am building my first facebook app and am facing a issue.
Task : Build a entirely server side application to be used by the admin of a facebook page to post videos/photos on the page. This should not involve having the admin to log in everytime to generate the user acess and page access token.
What I found : Based on the requirement, I found that app tokens can be used for this purpose. This line specifically hints at the usefulness.
App access tokens can also be used to publish content to Facebook on behalf of a person who has granted an open graph publishing permission to your application
I think that using this will be safe since mine is an entirely server side app.
Problem The docs say that:
GET /oauth/access_token?
client_id={app-id}
&client_secret={app-secret}
&grant_type=client_credentials
will give the app token that can be used in place of user access token.
However, I have not been able to do so. Specifically the error encountered is
Error 200 .The user must have accepted the TOS. Since I have already tried publishing content with page access token, I know this is a permission issue.
The following line
a person who has granted an open graph publishing permission to your application.
does not clarify everything. I came across a related question, but the answers seem to be a bit vague.
It would be really great if someone could give me insights about how this can be achieved.
In order to post to a page, you need at least authorize with the manage_pages permission. If you want to post "as user", you need to add publish_actions and use a "User Access Token". If you want to post "as page", you need to add publish_pages and use a "Page Access Token".
Information about how to generate those Tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
The error message with the TOS has been discussed a lot of times already, please go to those threads (or find a lot more with the search function):
(OAuthException) (#200) User must have accepted TOS on C# - Facebook
How come I get a "must have accepted TOS" error for test users with app installed?
facebook long term token "(#200) User must have accepted TOS"
Occassional (OAuthException - #200) (#200) User must have accepted TOS
You cannot post to a Page via an App Access Token. This is clearly stated in the docs at
https://developers.facebook.com/docs/graph-api/reference/v2.3/page/feed#publish
A user access token with publish_actions permission can be used to publish new posts on behalf of that person. Posts will appear in the voice of the user.
A page access token with publish_pages permission can be used to publish new posts on behalf of that page. Posts will appear in the voice of the page.
I'd recommend to use a eternal Page Acess Token, so there's no obligation to renew the User Access Token. Have a look at my answer here:
Post to a facebook page without "manage_pages" permission using php
See
https://developers.facebook.com/docs/facebook-login/access-tokens#pagetokens
I have a blog website and I have a Facebook page where I would like to share updates from my blog. I also would like to share those updates to my personal profile/timeline. I made an application and requested the publish_actions and manage_pages permissions.
It got rejected with the following comment:
You do not need to request these permissions because your blog or CMS
is integrated with an app that you admin. As an App admin, you can
already access these permissions and post to your Timeline or a page
you admin. You can provide access to additional users by adding them
as developers of your App.”
Yes, I am an admin on website, app and Facebook profile/page.
But, can anyone tell me what does it mean?
I read documentation several times. It's pretty clear that I can post even to my own only with access_token. I can get access token if I ask for authorization.
If a request authorization with publish_actions, manage_pages authorization dialog comes with the red banner saying:
"The following permissions have not been approved for use and are not being shown to people using your app: publish_actions and
manage_pages.Submit them for review or learn more."
and
"This does not let the app post to Facebook."
. Then any attempt to post comes with Error #200) The user hasn’t authorized the application to perform this action. It I don't ask for permission I just getting Error 200.
So how exactly I can "already access these permissions and post to my Timeline or a page I admin" as an App admin?
It seems that around mid May they of went back on the review process, at least partially; if your user owns the app and the page then you should be able to publish to your stream or to your page without going through the review process... I guess you just don't have to ask for the permissions that triggers the review process.
I'll be testing this in a bit and I'll get back to you with my results.
UPDATE: Yup. I've just tested it... just ask for publish_actions, manage_pages and status_update and it'll let you autopost on your own page, just ignore the warning about the review process.
I found the article very nice to introduction set extended permission required
(https://developers.facebook.com/docs/beta/authentication/#referrals)
but I go to Auth Dialog setting, the field required permission replaced users & friend permission. I can't see field required permission. please help me. thanks
You can set extended permissions required via your call to the show the login/authorize screen.
For Javascript SDK, it's the second parameter of FB.login(callback,scope).
For the Login social plugin it's the scope attribute.
For PHP SDK it will be
$params = array(
scope => 'read_stream, friends_likes',
redirect_uri => 'https://www.myapp.com/post_login_page'
);
$loginUrl = $facebook->getLoginUrl($params);
Per http://developers.facebook.com/docs/reference/api/permissions/ the extended permissions are:
read_friendlists Provides access to any friend lists the user created. All user's friends are provided as part of basic data, this extended permission grants access to the lists of friends a user has created, and should only be requested if your application utilizes lists of friends.
read_insights Provides read access to the Insights data for pages, applications, and domains the user owns.
read_mailbox Provides the ability to read from a user's Facebook Inbox.
read_requests Provides read access to the user's friend requests
read_stream Provides access to all the posts in the user's News Feed and enables your application to perform searches against the user's News Feed
xmpp_login Provides applications that integrate with Facebook Chat the ability to log in users.
ads_management Provides the ability to manage ads and call the Facebook Ads API on behalf of a user.
create_event Enables your application to create and modify events on the user's behalf
manage_friendlists Enables your app to create and edit the user's friend lists.
manage_notifications Enables your app to read notifications and mark them as read. This permission will be required to all access to notifications after October 22, 2011.
offline_access Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
publish_checkins Enables your app to perform checkins on behalf of the user.
publish_stream Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user-initiated sharing model.
rsvp_event Enables your application to RSVP to events on the user's behalf
sms Enables your application to send messages to the user and respond to messages from the user via text message
publish_actions Enables your application to publish user scores and achievements.
I don't think you can require extended permissions through that dialog, or by using the SDK as suggested above.
In previous versions of the PHP SDK the oauth dialog would return an error if the user did not approve all requested permissions -- this is no longer the case. As long as the user approves the basic permissions, any of the requested extended permissions can be unselected and the user is redirected without a warning or error. I hope that I'm wrong, but from reading the documentation and my own testing, I don't think I am.
From the same page of the documentation that you reference: https://developers.facebook.com/docs/beta/authentication/
"The updated Auth Dialog will display a set of user and friends permissions on the first dialog, and other extended permissions (if any) on a second dialog screen. User and friends permissions are non-revocable, while extended permissions can be revoked by clicking on the "X" next to each permission on the second dialog screen. Your app must be ready to handle each scenario (permissions granted, and revoked) properly."
IOW, if your app requires a specific permission your code must ensure that the user grants it.