I am using Spring Social to try to get a list of Facebook friends and their locations. From what I can see, Spring Social puts the access token into the HTTP request header as:
Authorization: OAuth AAAFDa6Gl4usBAJH4...
instead of appending it to the URL as an access_token parameter. As a result the request only returns the basic info, which does not include the location data. I can tell that the access token in the header is valid, because if I include it in a GET request manually the full dataset, including location, gets returned.
Has someone see this issue before and could let me know what the problem is?
You are correct that Spring Social puts the access token in the Authorization header like that (per draft 10 of the OAuth 2 specification). Now, this should probably be using the "Bearer" token format from more recent drafts, but I've been using Spring Social Facebook quite some bit over the past few days to do exactly as you are trying to do--fetch the user's friends--and it's been working fine.
Facebook's documentation seems to promote the access_token query parameter more heavily than the Authorization header, but their API supports either (always has). So, assuming that the token given is granted permission to view a user's friends, it should work.
In fact, I just double-confirmed this: First, I used the Spring Social Showcase (https://github.com/SpringSource/spring-social-samples/tree/master/spring-social-showcase), connected to Facebook, then clicked on the "Friends" list in the left-hand menu. It worked. I also obtained a valid access token, pointed my browser at https://graph.facebook.com/me/friends and used the Modify Headers plugin for my browser to set the Authorization header to "OAuth {my token}" and it also worked.
Have you, by any chance, tried this with the Spring Social Showcase (which is using Spring Social Facebook under the covers)? Wondering if you face the same problem there or not.
But thanks for asking about this, because it reminded me that I need to go ahead and update the header to use "Bearer" instead of "OAuth" (which I also confirmed as working).
Related
I have a CMS application which needs a little component that allows an editor to select a facebook page post to display.
I've been going around facebook API and I don't fully understand what is the proper way of doing it.
This would be a server call, I would prefer not to have an access token because I am not making the request on behalf of any user.
I've tried using access_token=app_id|app_secret, but apparently that request requires an user session. So I went to the graph explorer and copied my access token. That worked fine initially but then I learned that they expire. I could get a long live token, but apparently those also expire eventually.
So, what is the best way of doing this? I think that using someones facebook access token for this is risky. The token could be revoked at any point breaking the feature in production. Can I achieve this without an user access_token? if I cant, how is this token normally managed?
Update:
Well actually the app_id|app_secret works, just not in every case. I created several pages for testing purposes and it doesnt work in any of them. Then I tried accessing a post from some brand pages (unrelated to my project) and they work ok. So my problem is configuring the page.
When I tried to access the post using app_id|app_secret I get:
(#100) Requires user session
Posts are public in all cases
I already tried to assign a vanity url to the page, no change
I think it's not possible to use just an App Access Token to get the Page Posts. Unfortunately the docs are not very clear on this IMHO:
https://developers.facebook.com/docs/graph-api/reference/v2.2/page/feed/#readperms
An access token is required to view publicly shared posts.
A user access token is required to retrieve posts visible to that person.
A page access token is required to retrieve any other posts.
when I do a get request to
https://graph.facebook.com/[userid]
with the access_token i get all the basic info
but when I do
https://graph.facebook.com/me
with the same token i get an error message: An active access token must be used to query information about the current user
I have tried to under stand what can cause that.
I even tried to token that comes with the signed request
I'm on classic asp, with JSON library, I want the auto to be server side if possible. the FB.api("/me" is working but it is not what i really want to achive
I am pretty sure you donĀ“t have a user access token. Did you login the user? Of course you get the public data of every user with your first link, even without any access token. You can even put it directly in the browser and will get results. But for "/me" you have to authorize the user to your app.
See here: https://developers.facebook.com/docs/howtos/login/server-side-login/
It is the same problem as in the other thread for sure, just a different Programming language.
Remember: If the user did not accept at least the basic permissions in a dialog or redirect, he is not logged in and you will never know anything about him in the app (except for some specifics in tab apps, like language, like-status and stuff).
We're using the Facebook JS SDK to authenticate users to our application, then sending that information to the server back end to log our user into the application (we support multiple forms of authentication but we can only support FB using a client side flow).
FB is able to log in correctly, I'm able to authenticate the user and everything else, but there's one wrinkle that I'm not sure how to handle, and I'm having difficulty finding anything in the documentation about it. Facebook sends back an accessToken in addition to an id. My question is, how do I verify on the server side that the accessToken is correct for the given id? I want to make sure that the data the user sends us matches what Facebook sent them, and I can't imagine this is that out of the ordinary, yet I can't seem to find any documentation on it.
In the response from Facebook should be a signed_request string that can authenticate that the data is genuine with and decoded to yield the user id and an oauth token for the user.
Passing this along with the other response to your server-side code should allow you to validate everything pretty easily.
May I suggest this answer from another question! It uses try-catch. It is probably the only way to verify that the authentication and the permissions are valid! That's how they do in their examples
Facebook OAuthException: (#1)
I dont think facebook provides any other way of checking
We recently launched a new app, and one of the features was to provide a discount if a user had liked a particular page. I had successfully tested the functionality on numerous accounts, and we went ahead with the launch. We used the graph API to retrieve a list of all pages they'd liked, and checked if the desired page was in there:
https://graph.facebook.com/me/likes?access_token=ACCESS_TOKEN
We've had some users contacting us and alerting us that they weren't seeing the discount even after they'd liked the page. We were able to request the details for one of those accounts, and observed the following.
When the app is authorised, Facebook sends them to our website with the access token in the HTTP request (which we pull for graph API calls).
https://example.com/?ref=ts
POST /?ref=ts HTTP/1.1
...
Set-Cookie: fbs_uid=%22uid3D%26access_token%3[ACCESS_TOKEN_REMOVED]%26expires%3D1318381200%26sig%3Dd0b6fdf09befedf022cdea8b58887348%22; expires=Wed, 12-Oct-2011 01:00:00 GMT; path=/
So you can see the access token in there. What's strange is that when we try to make the API call with the access token provided by Facebook, it returns an empty result (even though they've liked pages) again - this is only for certain accounts. What's even more confusing is that when we go to the Facebook Developers page while logged in as the same session (https://developers.facebook.com/docs/reference/api/) and click the /me/likes link, we get a complete list of the user's likes, but with a different access token.
So it appears that the access taken provided for Facebook is insufficient in pulling the data. This only affects certain accounts and not others, so I'm wondering if there's some form of configuration issue, but from where I stand I don't see any way of resolving it, since the data provided by facebook appears incorrect.
With the access token provided by Facebook, we don't get any errors (i.e. we don't get an "Error validating access token"), so the access token does validate.
Lint your access token that is not working and see what Facebook has to say about it. It might give you clues as to what is incorrect.
https://developers.facebook.com/tools/lint
I feel like every second question i ask here is relating to Facebook Connect - that says a lot about their API. Anyway, that's politics, i digress..
I'm trying to pull back user details from the Graph API for use in my application (which is an FBML external website - JavaScript SDK for authentication).
I have requested the following permissions from the user: (using the regular dialog)
publish_stream
email
This works, and allows me to post to the user's wall, and grab their email from the Graph API.
But when i do a HTTP GET Request to the following URL:
https://graph.facebook.com/uid?access_token=oat (where uid = the user id of the user i'm attempting to grab details for, and oat = the OAuth token i have).
All that comes back in the JSON is the User ID (which i already have, since im putting it in the URL), and the email.
Why can i not get things like first name, last name, locale, etc?
Am i using the wrong URL? Is my OAuth token wrong?
I'm getting the OAuth token from here:
https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=myappid&client_secret=myappsecret
UPDATE:
It looks like the issue is my OAuth token.
Because when i go to the docs: http://developers.facebook.com/docs/api
And use the sample OAuth Token for the user im trying to retrieve, it gets all the details.
Anyone know what is wrong with my OAuth token call?
So, i was using the wrong URL for the OAuth Exchange. It needed to be this:
https://graph.facebook.com/oauth/exchange_sessions?type=client_cred&client_id=myappid&client_secrete=myappsecret&sessions=userseshid
The URL that i WAS using was as per the doco, the above one that works is nowhere to be found.
I'm at the point with FBC that i no longer care about the how, if it works, be thankful that it does even that and move on.
EDIT:
Also, i was wondering why the Graph API calls would "stop" working for no reason.
The answer is i needed to compare the Session Key used to obtain the OAuth token, with the Session Key currently in the cookies. If they are different, i needed to get a new OAuth token.
The session key used for any OAuth token is part of the actual OAuth token:
aaa|bbbb|cccc
Where bbbb is the session key. So i just compare that before doing any Graph API calls.