I created a test app on Facebook.
I chose to request access to user events for API calls.
I then connected my user properly through api, I can get user details by oauth key for this particular user, but I can't access user events.
From the tools that FB provides, I seem to be able to access the user events, but the oauth key used in the call is different from the one FB gave me back for this user.
What did I miss?
Realized that specifying scopes only within the app setting panel wasn't enough.
For each new oauth call for users, need to specify the list of scopes you want to authorize the key for.
All working good now.
Related
I have created a Yammer app wherein the user is able to make posts and obtain messages using an open graph feed. The user is asked to authorize the Yammer app the first time he/she logs in, in order to obtain an access token. My question is, is it possible that the user does not have to login every time he/she uses the app, in order to obtain this token?
Currently, the container where the feed is supposed to show, shows a "Login to Yammer" button. Only after the login, is the feed visible.
Is there a way to automatically login the user in the background without using impersonation? (If an encrypted version of the username and password is stored in the system.)
Thank you!
You can't log in the user without either the user interacting to authorize the app, or the authorization being performed through impersonation. You can use the setAuthToken() method from the JavaScript SDK for Yammer to inject an existing token, even if you are doing the full impersonation laid out in the linked article.
I am using FB js SDK to allow logging in on my platform. A user permits the needed access and I save his ID in my DB. The data is sent to my server via AJAX. Since the login is with FB, I can identify the user only by his ID.
Now, lets say I know someones FB ID and I know he has an account on my platform. In runtime, I can place his ID in the auth request and obtain a legit session of that user. How could that be avoided?
First of all, those are App Scoped IDs, it is very unlikely that someone would know the ID of a user who authorized your App, because it´s not the "real" ID.
That being said, you can (and should) send the User Token to the server and confirm the ID by calling the /me endpoint with that Token. You should also use appsecret_proof for API calls, more information can be found in the docs: https://developers.facebook.com/docs/graph-api/securing-requests
I have a scenario, where an authorised user through my application is posting status/uploading pictures via my application by granting required permissions. My application uses graph APIs.
Now, as app administrator if I want to see the content of the post, that the user has uploaded via my application. How do i do it?
I know in graph APIs, I have INSIGHTS api. But, it just gives us the statistics of the posts done via my app or user.
Can i really see the posts?
Assuming as an app admin I only have app access token and app ID. I dont store user access tokens with me.
Actually, I worked on the problem with every possible way. Found out that, even being an APP administrator I will need user access token (stored with me), without which these data shall not be retrieved via APIs.
My need was not to use user access token; But, no Its not possible via APIs as of now.
This is a common scenario, but one that I don't see a lot of people posting about. Let's say I have a website, example.com, that loads a list of events from a Facebook Page. It would be a bad user experience to ask the user to "allow access" to the website just so they can see a list of events.
So, what I do is generate an access token with offline access permissions via the Graph API Explorer (https://developers.facebook.com/tools/explorer). This gives me an infinite (as long as the user doesn't change their password, etc.) access token. Perfect.
Soon, though, Facebook is deprecating offline_access. Is there going to be any way to continue to show this events feed on my website without requiring a user to allow access (which would refresh the access token)?
No, there will be no more infinite access tokens. You should store the list of events in your database so you don't have to query facebook so often. This way the user doesn't have to allow access to see a list of events that you get from your data store.
In the Facebook javascript api there is a login function in which you specify extended permissions:
http://developers.facebook.com/docs/reference/javascript/FB.login
One of these permissions is offline access. So I can save the facebook user's session key and assume it will not expire for a long time. The question I have is simple - how do I use the session key? I understand that the session key will last longer, but I don't understand how to use it in the Facebook API. For one of my products, a user must restart his/her browser and I would like to recognize them when they restart. The problem is that they are logged out of facebook, so they must login on my site again where I would rather just use offline access. Sample code would be great!
Thanks
Offline access allows you to use the user's access token on the Facebook Graph API indefinitely (unless they revoke your application's access).
It is not intended for logging the user back in. It's intended for you to be able to access their profile (and potentially do stuff to it, if you have permission) at all times, not just when they have a live session on your site.