Can a page on a website get a facebook access token? - facebook

I'm fairly new to facebook development and I still get confused about the oAuth thing.
A client of mine asked me to show the latest posts, links and statuses of his facebook page to his website.
On the a php page on his website I'm creating a url
"https://graph.facebook.com/".$clientFacebookPage."/posts?limit=1&access_token= xxx
In order to json decode it and display the info I want, but I don't know how to get an access token. I generated an access token with the graph explorer that is tied to my name as a facebook developer but that expires in 2 hours.
There are many thing that confuse me already and I hope you can point me towards a solution
I've read the documentation but everything revolves around users getting logged on your app and you app posting. So my questions are:
Do I need to create an app to do a curl (requiring special permissions) using the http://graph.facebook/xxxx url?
If so, does the adming of the facebook page need to authorize with the app?
What do I need to do next? I can create a web page using the app id and secret. Does that mean that I can retrieve the info of the facebook page? How?
I know that the page needs an auth token to curl the http://graph.facebook/xxxx page and retrieve the data needed. Where can I generate it? Does the webpage need to generate it, or do I have (as the app developer) acquire the token and write it to my php code?
If I log out of the facebook, will the program/webpage stop functioning?
I hope I didn't confuse you.
Thank you.

The basic process for obtaining an access token for a Page is as follows:
1. Get a user access token for a User who is an admin of the Page
2. Using this User token, request graph.facebook.com/me/accounts and look for the correct Page ID in the list returned.
3. Grab the associated Page token from that ID
4. Use it to do Page stuff.
There is a newly launched Facebook docs guide which shows you how to obtain one of these access tokens in a step-by-step fashion:
https://developers.facebook.com/docs/howtos/login/login-as-page/
Hopefully that guide should help you.
I will also answer your questions in order:
Yes, you will need an app in order to generate access tokens to make API queries
Yes
This is in the guide linked above (start at the Getting Started if you need to create a way to get a User Access Token also)
Again, see the guide above
Yes, but you should follow the steps in this guide to generate a long-lived access token. Once you do that, any Page token you retrieve will last forever.

Related

How can I interact with a facebook app page without always generating a token

I'm making an API to post to our companys facebook page but all documentation and request errors require me to get a page access token but this is supposed to run on the server and its a bit inconvenient for our dev team to every 2 months have to generate a new token and restart the app so my question is if its possible to use the app id and secret only or get a permanent token?
I found out a couple time after posting this question here at stackoverflow that facebook has system users that allow you to generate tokens for server side services that dont need a specific user data.
https://developers.facebook.com/docs/marketing-api/system-users
You will need to make your sys user admin to make posts and what not.

Facebook insights via graph.facebook.com authentication flow

I am trying to programatically grab a few insights metrics from facebook for various pages (about 50 clients). Therefore I want to automate this.
I created a facebook app and have my app_id and app_secret. I also created a app_access_token which doesn't expire?
My question is this: How do I get the page access token for each of the pages I want to get insights from? Currently I...
STEP 1) ...went to the Query Explorer and seleted my app and grabbed a user_access token with the manage_pages and read_insights permissions.
STEP 2) I then used that user_access_token to go to https://graph.facebook.com/v2.5/{pagename}?fields=access_token&access_token={user_access_token} to get what I presume is the page_access_token.
STEP 3) I then use this token to do my queries for things like https://graph.facebook.com/v2.5/{pagename}/insights/page_impressions?access_token={page_access_token}.
Now since the app is already OKAYed, shouldn't be there a way to grab that user_access_token in step 1 programatically? They all expire except the app_access_token I described above. Can I use that token somehow in step 1?
I am not using and SDKs just pure https calls.
Actually it is possible. I managed to get an extended page access token by doing this:
https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=[app-id]&client_secret=[app-secret]&fb_exchange_token=[short-lived-token]
from here. Basically you get a short lived user token and then use that to get a page access token and then use that with your app id/secret to get an extended page token that never expires (perfect for embedding in an automated reporting app).
It is convoluted but it works. And as a bonus if you register the APP on Facebook business manager, that page token will work on all sites you have access to under that business manager account.

Facebook long-lived accesstoken for a page

I'm using a facebook extension in TYPO3 to pull out the facebook posts of a page. Therefor I need the accesstoken.
I googled around and found that I need a facebook app and I need to be administrator of the page.
Then I heard that I need to connet the app with the site, but how can I do this?
I also tried to get accesstoken:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials
And then performing:
https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token& client_id={app-id}&client_secret={app-secret}&fb_exchange_token={short-lived-token}
... with this token but it says No user access token specified
Can someone help me step by step how to get the long lived token?
As you just want to pull, you really don't need a page access token. Until and unless you have a demographic or other restriction over your page. All the pages are Public and data over them can be easily accessed by using the App Access Token which is simply put
Your_App_ID|Your_App_Secret
first u need to get an API key from facebook, so here are the steps--->
http://www.shoutmeloud.com/how-to-acquire-your-facebook-api-key.html
& then u can access facebook API, these are docs provided by the facebook to use that API--->
https://developers.facebook.com/docs/guides/web/
This was my implementation (PHP):
$newposts = json_decode(file_get_contents("https://graph.facebook.com/YOURFBPAGE/feed&access_token=YOURAPPID|YOURAPPSECRET"));
Since I was only using this to make simple pull request of my feed posts this is the best way to do it. You don't have to deal with expiring access tokens. Just create your facebook App and get the ID and secret.

Long-lasting FB access-token for server to pull FB page info

I'm aware that there are many questions about Facebook access-tokens and the grief they cause, but despite much experimentation and reading many frustratingly vague blog articles (FB and otherwise), I'm still struggling to get a clear answer to my needs. Let me succinctly break down my process so far:
I am creating a site that, server-side, needs to pull the posts/statuses from a single Facebook Page
I am an admin of that Facebook Page
I have created a Facebook App
Using the Facebook Graph API Explorer, I've generated a short-lived key, connected to my app and my account, that grants permission to my account to view the access-tokens for my pages
I've converted my short-lived key to a long-lived key (60 days) ala scenario 4 from this
And here's where I am stuck. My 60 day key works fine for my server to pull the info needed from the page, but as far I can tell, there's no way to programmatically extend that 60 day key. I also do not know of a way to generate a new short-lived key without manually going to the Facebook Graph API Explorer and creating one.
Since it is my server making the requests to the Facebook API and not a user-based system (where I could easily request that a user authorize the Facebook app again), this creates a very clunky system. Since Facebook deprecated offline_access, is there really no permanent way to have my server pull info from my own page? Will I really have to create a new key by hand and manually update my server with it every 60 days?
Or is there something I'm missing?
Update:
The step-by-step guide that was previously found here has been migrated down into its own answer.
These are the steps that were previously in the question - they have been migrated to this answer.
Having found that it is possible to generate a Facebook Page Access Token that does not expire (with help from #Igy), here is a clear, step-by-step quide for all those looking to the same:
Make sure you are the admin of the FB page you wish to pull info from
Create a FB App (should be with the same user account that is the page admin)
Head over to the Facebook Graph API Explorer
On the top right, select the FB App you created from the "Application" drop down list
Click "Get Access Token"
Make sure you add the manage_pages permission
Convert this short-lived access token into a long-lived one by making this Graph API call:
https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
Grab the new long-lived access token returned back
Make a Graph API call to see your accounts using the new long-lived access token: https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
Grab the access_token for the page you'll be pulling info from
Lint the token to see that it is set to Expires: Never!
That should do it. You should now have a Facebook Page Access Token that doesn't expire, unless:
You change your Facebook account password
You lose admin access for the target page
You delete or de-authorize your Facebook App
Any of these will cause the access token to become invalid.
If you are getting (#100) Tried accessing nonexisting field (accounts) on node type (Page), go to the Access Token Debugger, copy the value of User ID, and use it to replace the "me" part of the URL in step 9.
This is covered in the Offline Access deprecation document
Use the 60-day token for the page admin to retrieve a Page Access Token (via /PAGE_ID?fields=access_token or /me/accounts) - the Page access token will not have an expiry time
An approach that works in 2019
I was recently trying to achieve something similar (to the use case described in this thread), but I wanted to make sure to respect Facebook's current policies, so I did a little research and here I'm sharing what I found.
My use case
So, as I said already, my use case is very similar to the one described here; that is:
I'm doing some work for a school district.
They are using a software tool to manage pretty much everything that relates to school transportation.
That tool allows them to send email notifications (to subscribers) when they publish bus delay alerts and school closure alerts.
A lot of people in the community follow the organization on their Facebook page, and that's the only place they look for those alerts.
So an employee of the organization has to manually publish each notification on the Facebook page (in addition to creating it in the transportation software). Moreover, those notifications eventually expire (or are simply deleted before they expire), so the employee has to go back later on to delete them manually as well.
It's a waist of time, so what we are trying to do here is to develop as simple system that periodically polls the software tool's database for new (and expired) notifications and update them (i.e. add and remove) on the Facebook page.
This is, in my view, a legitimate use case, but I wasn't sure how to implement it in a way that's in line with Facebook's policies.
The accepted answer
I followed the steps of the accepted answer and it worked, except that things appear to have changed: now, even though the generated page token does not expire, access to data does expire after around 60 days. You will see that as well if you follow the procedure and inspect the page token in the FB Token Debugger Tool.
Besides, the fact that the generated page tokens are tied to the user account is also unfortunate, because if the user updates his/her password, then the page token also gets invalidated.
How to do it in 2019
After several hours of research, I stumbled upon the following Facebook documentation article: Business Login for Direct Businesses.
It turns out that it is now possible, following the steps described in the above article, to generate a page token that is not associated to any particular Facebook user account and which will not expire (unless the FB App gets deleted or the underlying application token gets deleted, you know...)
So here are the steps and the most important parts:
You need a Business Manager account.
Verification will be required and a digital contract will have to be signed.
You need to add the target Facebook page to that account.
You need to create a Facebook App, and transfer that app to the same Business Manager account as well.
The app will have to go through Facebook's review process, because the following permissions will be needed: manage_pages and publish_pages.
Important note For the posts made using the generate page token to be visible to users other than the application administrators, that app will need to have been published and approved.
You may still experiment with the concept without submitting for review, but the posts won't be publicly visible.
In the Business Manager account (only after your app and page have been added to the account), you need to create what's called a System User, and give that user admin role (or permissions) to the target Facebook page.
A system user is owned by the Business Manager account, and isn't tied to a specific user. My current understanding is that one major use case for a system user is programmatic access to Facebook's Graph API (just what we need).
Then, for that system user, you need to generate a access token (which will be never-expiring). You will be prompted to select for which app. You will then select your target app.
You will then need to use the generated app token to generate a page token, which will also be never-expiring. The procedure is described in this article as:
GET /<PAGE_ID>?fields=access_token&access_token=<SYSTEM_USER_ACCESS_TOKEN>
That's it.
That token will never expire, and it won't be tied to a particular Facebook user, so it's exactly what we need!
The last part is to make sure that your Facebook app gets approved by Facebook. It's in fact the most important part, because the whole procedure is worthless if people don't see our posts.
I wanted to know for sure that I could rely on the above procedure to build something for my client without Facebook rejecting it in the end, so, beforehand (i.e. before starting to work on my client's project), I went through the whole process of creating a page, an app, a Business Manager account, etc. I verified my business. I submitted my app for review. In my request, I was very specific about my use case and emphasized that the app was for "self-use" (i.e. that the organization is developing an app for itself, not for other Facebook users). I got approved without less than 24 hours.
A few other notes about the app review process:
I had to select a platform for the app, so I selected website.
I had to indicate why the app needed the two permissions and how it was going to use them.
I had to indicate why the reviewer would not be able to sign into my app and try it (i.e. because the app will be used by a worker process).
For the mandatory screencasts, I simply presented manual operations in the terminal using the curl utility (to generate the page token and make posts to the Facebook page). I also showed how I was using Business Manager to link the system user to the page and generate a token, and so on.
Again, I was very specific about my use case, and I think that that helped.
I hope this information will be useful to people with similar use cases.
Many thanks to #redhotvengeance for step-by-step guide.
After some time, now there is clearly described in Facebook documentation:
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
Extending Page Access Tokens
Apps can retrieve a page access token from Page admin users when they
authenticate with the manage_pages permission. If the user access
token used to retrieve this page access token is short-lived, the page
access token will also be short-lived.
To get a longer-lived page access token, exchange the User access
token for a long-lived one, as above, and then request the Page access
token. The resulting page access token will not have any expiry time.
You can also copy and past from the app dashboard on facebook.
The steps:
Go to https://developers.facebook.com
Select your app in the top right corner of the page
(pic of what it looks like)
Click on Messenger from the options on the left (it will go to setting automatically) (pic of what it looks like)
Go to the "Token Generation" section in the page. Select what page you want to generate the token for. (pic of what that section looks like)
The copy and past your page token where ever you need it.
Keep in mind that while in theory your token won't expire, that it is directly tied to what ever facebook account your logged into. So say you change your password or you remove the permissions from between your account and your app then your token won't be valid any more.

2 different types of user facebook access tokens?

I have set up a facebook app so people can post stuff from my site directly to facebook using the graph api.
I request offline access and manage_pages so that they don't have to be logged in to facebook, but just to my site.
I also have set up the ability to post to a fan page they are managing directly from the site.
both those things definitely work because i have a fan page and i authorized it on my site and am able to post stuff to it directly from my site.
the problem is that when i send the access token to facebook /accounts?access_token=XXX, nothing is being returned for some users even if they are definitely managing (they sent me a screenshot showing they were the manager of the page)
looking at the access tokens i noticed that mine looks like (this is fake):
200785063253279|561ec27497172e3ddvs32dsc.1-10002342352350235|kB2_OoBtsgscsVW2mKMijfNdvb0
while the users in question have an access token like (again - fake):
AAAC2nOrFTH0BAJjMgS3h22ADhirwsfweRT35235LGcZCGisrefwae5tSF535DGlLKJOIBMnrMnI324sfasdSFOIjo325sIigfWOE1aNbvd8wAZD
I can't help but notice the vast difference between the two. is there a reason? is that why i am not getting any page info when i send the request to facebook?
Any help is appreciated!
The first Access Token is the old access Token format and the second Access token is the new Access token format.
This new format was announced a year ago:
https://developers.facebook.com/blog/post/497/
And rolled out last September:
https://developers.facebook.com/blog/post/2011/09/09/platform-updates--operation-developer-love/
Any new Access tokens you get from the system will be of the new format.