Several people have asked how to post photos using an app token and the general response seems to be that they should use a user token instead.
However, according to https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/ :
"[y]ou can use app tokens to publish or delete content on behalf of a user who gave your app permissions".
and according to https://developers.facebook.com/docs/reference/api/photo/ :
"To publish a 'photo' object you need
-a valid access token
-publish_stream permission
"
The way I interpret those two statements is that I should be able to POST a photo to .../USER_ID/photos using a valid APP token.
However, when I try to do that I get the message "A user access token is required to request this resource". At the same time I can easily publish to .../USER_ID/feed using nothing but the APP token. It is also possible to submit stories containing "User Generated Photos" with only an APP token.
So an App can do those things with an APP token, but needs a USER-specific token for .../USER_ID/photos? I wonder if this behavior is by design? So far I have not found anything in the documentation to indicate that is the case.
I too was stuck at the same point as mentioned. And the documentation barely helped.
The workaround I used was to take the 'offline_access' permission while logging in and storing that temporary user access token given to the user.
While publishing the photo I used that offline user access token since the app access token didn't work. It worked like it should've although offline_access has been discouraged to be used...it seemed to be the only way for now.
Related
I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
I'm trying to figure out a core concept in FB that even after reading a lot of FB documentation, couldn't understand.
Let's say I'm building an app (that will reside in a tab), in which I want to see the last post of a user. I want to do this approximately one month after the user approved my app, without him using the app again.
I assume I will need to use a long-lived expiration token that will be saved to my DB.
A month after I will run a procedure that will use this token and check the user posts.
Is this correct?
What about a situation in which the user logged out? The token is no longer valid.. does this mean I will never be able to access user posts unless he will access my app?
Isn't this a bit weird (since he already approved my app)?
Not necessarily.
Firstly, you need the read_stream permission from the user when they authenticate your app. Then, because you are intending to use Facebook as the app, rather than as the user, you need to authenticate as an app, which is a simple process:
In order to get an access token for the app, all you need to do is use the following URL:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
Because these tokens are time-limited, it may be easier to request a token each time you use the Graph API, rather than storing it in a database and waiting for it to expire.
Then, all you need to do is use the following request:
https://graph.facebook.com/USER_ID/feed?access_token=YOUR_ACCESS_TOKEN
The upside to this is that it does not matter whether or not the user is logged into Facebook.
See here for more details:
https://developers.facebook.com/docs/authentication/applications/
As mentioned in this other question, if a user grants the publish_stream permission, I can publish to that user's wall using an app access_token. I tested that and it works. But I couldn't publish to the user's pages using the app access_token! Am I missing something?
Right now I use the /me/accounts/ connection to get the access_token of the pages, and use that to publish. But this is a huge headache for me and for users because these tokens expire often (when users change their password, ...et), and every time that happens the publish fails and I need to email the user to come login again so I can retrieve a new access_token for the page. It's a bad user experience and I'm trying to find a way around it. The app token works for publishing to users, which is great, but I couldn't find a way to make it work for pages. Any tips?
Edit:
To clarify further, I currently request the manage_pages and offline_access permissions, and then fetch the access_token of each page and use that to publish to it. That works. The main problem is that tokens expire, even with the offline_access permission. The most common reason a token would expire is if the user changes her password. Here is a common error that I get a lot when publishing to Facebook pages.
Facebook error. type: OAuthException, message: 'Error validating
access token: Session does not match current stored session. This may
be because the user changed the password since the time the session
was created or Facebook has changed the session for security reasons.'
To handle this, I email the user and ask them to visit our app again, and when they do I grab a fresh set of access_token to work with. But that's problematic because users are confused about why the error happened and blame us for it, and some users don't open their emails so the problem doesn't get solved and then they're angry later when they discover that our app had stopped weeks ago without them asking it to stop.
That's why I was hoping that I can publish with the app access_token to avoid these problems. Since it works for user profiles, I hoped it would work for pages as well. But so far no luck, unless I'm missing something obvious.
What you're describing used to work - all last year we were able to successfully post to fan page walls using the app access token. In fact, for some of our users, I see it still working. However, I think the other two answers are correct, this is no longer the way to post to pages (see "Page Login" here)
That said, you should be able to store the access token of the page to spare yourself the step of re-querying the users' linked accounts.
Unfortunately, the page's access token will suffer the same fragility as a user's, per the answer here: Facebook Page Access Tokens - Do these expire? . The page access token will expire when the user who gave you that access token changes their password.
To publish to pages, there is an extra step where you use their token to get a list of their pages. Each page has its own token, use that token to post to the page. Keep in mind that when setting up the original token, you need to specify that you need access to pages.
my app does exactly what you're after.
I request both manage_pages and offline_access permissions from a user.
I store the user's access_token.
I ask the user which page (determined by me/accounts) they want a stream item posted to and when.
Later, when it is time to publish to a page's feed, I grab the user's access_token from the database, the pageid, and the message.
Using that user's access token, I query the me/accounts and grab the latest access token for that account (aka page)
Using that page's access token, I me/feed (or is it me/posts...away from my codebase at the moment) post the stream item.
I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.
I'm working to enable my app to hit the FB Graph API to look up data on a user. I want to do this in a way that is app focused meaning it isn't based on a user signed into my app. It's a relationship between the app & the FB Graph API.
My understanding is I can do that with the APPLICATION ACCESS TOKEN is that right?
If I use my app access token here:
https://graph.facebook.com/search?q=born#gmail.com&type=user&access_token=208131059208382|xFN8da1tIDxuuMp8hoRtGs3l0aM
I get an error:
{
"error": {
"type": "OAuthException",
"message": "An access token is required to request this resource."
}
}
Why is that?
Can I use my personal FB account to hit the API for the purposes of the app?
When a user oAuth's in to an app, how long does the access token last? Is it something I can hard code in my app so I can hit the FB graph api?
Thanks
For a lot of things on Facebook, you have to have a valid session access token from the user. What this means is, the access token you get from a user must be used to access a resource. This is especially true when pulling data about the user out of the graph. The access token that FB gives you when the user loads your application typically lasts for an hour (if I recall correctly). The session object FB gives you tells you the expire time on the token, though.
If you need to access the data for a user in an offline manner, you could ask the user for the offline_access extended permission. Doing this makes Facebook give you an indefinite access token, which doesn't ever expire (unless the user changes their password). That allows you to query the graph on the user's behalf whenever you feel like doing it.
The search feature doesn't require an access token if you're performing a standard search, or a page search, etc. But it does require a valid access token when you're searching for users. I assume this is to keep people from hammering the search and crawling public user data with a bot.
You can follow the instruction in
http://developers.facebook.com/docs/authentication/
take a look at https://github.com/michaelbaldry/fb_graph_canvas - It's a barebones canvas application that you can test locally. It uses fb_graph and is about as simple as can.