I am building a Facebook application whose purpose is to gather statistics about Facebook users by querying their profile pages every so often. There is a sign up process where a user consents to the application and is redirected to Facebook to authorize the app. After the app has received the user's permission, it stores the access token with the user's Facebook ID number.
Every so often I want to be able to run a script that loops through all the access tokens in my database and queries the corresponding user's profile page. I am using Facebook's PHP SDK for development and therefore receive long-lived access tokens.
However, I am running into the issue of the 60 day expiration of the access token. I don't know how I can renew these access tokens, since the user does not initiate API calls; my own script does and therefore it has no information about the user being logged in or not when trying to run an API call. Is there any way to renew these access tokens behind the scenes without any information about the user whom I'm trying to query?
Related
I need to setup communication between my iOS/Android app and my PHP backend. I want to use facebook account only for logging in, there is no further communication with facebook. I have User accounts in my system and facebook_id is only a parameter to identify user.
Is it ok to verify the user by checking the token on the graph api from my backend just at the beginning and then only use my own tokens for communication or do I need to recheck if the user is still logged in on facebook from time to time (which is actually irrelewant for me as there are no fb interactions).
What else is there to consider?
Do I need a separate token for my server? Or do I use my App Secret
You should be able to use your application token.
The only scenario it might not work in is if the user deletes your app and decides to login again. From what I've read the app scoped IDs may change in this scenario.
I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.
So there's an app, let's say it's an app that is capable of delivering relevant news based on the user's choice done the first time he runs the app. Is there a way to post the news to the user's wall without having the user to be online and ideally as the app?
So on his/hers timeline it would look like this (edited image, not a real post from some app, it's just so you get what I mean):
When I use $facebook->api('/me', 'post'), it just creates a post as the user, which is not what I want and does not allow me to post when the user is not logged in.
You can use the server side authentication to get a long lived access token (60 days) which you can then use until the token times out. Then you'll need to have the user reengage with your app to get a new token.
You can get the same thing by using the client side authentication and then extending the token on the server side.
Another options which should work for you is to get an app access token (which does not expire) and ask the user for the publish_stream permission, then:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
What is access token in Facebook API?
why I need it ?
What is its purpose ?
Do I need to store it persistently in my website ?
For almost every request you make to facebook API you need to pass access token along to get the results. This token may expire depending on what kind it is, you might need to persist it in case your application need to access facebook API when user is offline.
PS: Access token comes from user's request to your application.
Facebook implementation of the OAuth 2.0 involves three different steps: user authentication, app authorization and app authentication. User authentication ensures that the user is who they say they are. App authorization ensures that the user knows exactly what data and capabilities they are providing to your app. App authentication ensures that the user is giving their information to your app and not someone else. Once these steps are complete, your app is issued an user access token that you enables you to access the user's information and take actions on their behalf.
access token will be expired unless the user has granted to your app the "offline_access" permission. In other word, unless you have such a perm granted, you don't need to store it persistently in your website.
I am using the facebook graph api to integrate some facebook functionality for users into a project i am working on. Its very early stages and I am just getting to grips with the Facebook API but it appears that every time a user logs on to my site they will also have to log into Facebook. On the first time they also have to authenticate my application.
I am a little surprised that they have to actually log into Facebook each time they want to use any Facebook features from inside my app.
Isn't there a way to authenticate once, then I can store a token and this would allow me to access Facebook on their behalf in the future (until they de-authorize) without them having to log into Facebook each and every time?
This just seems very cumbersome.
Request the user for offline_access permissions using the scope argument in the authorization request
http://developers.facebook.com/docs/authentication/#requesting-extended-permissions
You can use the session key returned, save it and use it until it expires (this usually is very long) or until the user revokes access to your application
Here is the full list of extended permissions your application can ask for http://developers.facebook.com/docs/authentication/permissions