Im building an app that tries to display the last 5 news of certain public page. To access this information I need to get an access token with this:
GET https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
My question is: isn't the app secret to be... well, secret?
If I make a GET query mit jQuery anyone can look into the script file and find out about it. Is this safe?
The token never changes (unless password change / block / ...).
You should retrieve the token once using your browser. From then on you can use the token without using your app secret.
Related
I am trying to make a simple Instagram post bot where I can provide a url of an image and a caption and it will post. I currently have a working python script that, will generate long life token from a fixed exchange token (generated manually at the graph api tool webpage) and will will post an image given a url.
The problem is after a while (Less than a day) the token expires and I have to manually generate another.
I can successfully generate an app access token but I don't believe you can use an app access token for posting content. Is there a way to automatically generate a user token? pref without using something like chromedriver to mimic a browser for the token generation
Any help is appreciated.
First of all, I strongly recommend you to spend a few minutes reading the References on Access Tokens.
From there you can better understand the different types of Access Tokens.
Moving on.. Make sure you are using the correct endpoint to get that Long Lived Access Token (If your token is taking only a day to expire, means you aren't).
Use the Long Lived Access Token path with the token you generated via Graph API Explorer:
curl -i -X GET "https://graph.facebook.com/{graph-api-version}/oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={your-access-token}"
App's Access Token does not give you access to Content Publishing.
For that you need to use your User Token generated on the previous step.
Make sure the User have all the Permissions needed:
ads_management, business_management, instagram_basic, instagram_content_publish, pages_read_engagement.
The Graph API offers something called an appsecret_proof but how is it any less compromisable than the access token? It's the HMAC of the access token and the secret, so it's going to be the same for each API call anyway. Since both the appsecret_proof and the access code are needed for each API call, they could be sniffed together. So how does it make things more secure? What is the rationale?
Let´s say someone hacks your App and gets an Access Token of another User. Without appsecret_proof, he would be able to use the Access Token for something malicious. With appsecret_proof, the Access Token alone is useless for anyone who gets it. You can only use the Access Token with the generated appsecret_proof, so you would need the App Secret too - and the App Secret should only be used on the server anyway. It´s called "Secret" for a reason :)
More information: https://developers.facebook.com/docs/graph-api/securing-requests
Example: Extended Page Tokens are valid forever, so they usually get stored in a database. If some user gets access to one of those, he may be able to publish stuff to the Page wall (if the Token includes publish_actions). appsecret_proof makes sure you can only use the Page Token on your server with the App Secret. So the hacker would have to get the Page Token AND he would need to somehow get your App Secret too.
It is suggested that whether your app uses code or token as your response_type you should perform an automated check on the access_token to confirm that the token belongs to the person the app expects it to belong to and that it was your app that generated the token.
You are supposed to do this on
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
where app-token is app_id|app_secret and token-to-inspect is the user's access_token. Also, I think from reading the documentation you can retrieve an app-token by doing a client-credentials call with the app_id and app_secret.
This is fine with an authorization flow implemented server-side, but what if you're using the implicit method and chose response_type as token (and for whatever reason aren't using FB's javascript SDK)? How do you safely get that app-token without leaking your app_secret? How does FB's SDK do it?
You can generate an app_token in your Facebook developer panel here
and then simply save it into a config file server side. From the developer's page:
App tokens do not expire and should be kept secret as they are related to your app secret.
On my page, I use the following flow:
The user authenticates with the Facebook JS SDK, and then sends his
token + uid to the server.
The server validates that the given token
is related to the given person via a call to the "debug_token"
method, that you spoke of.
If the token + uid combination is valid,
it authenticates the user server side.
I hope this helps.
I need to get access to my user's information when they are offline and I understand that I need to use an extended access token which lasts 60 days. I have been looking at this SO post How to extend access token validity since offline_access deprecation and this says that I need to include the stated method in my base_facebook.php file and make a call to the method.
However, looking through my code there is no explicit request or use of access tokens anywhere so I'm unsure how to request an extended access token. This post Do I need to use access token in Facebook API? explains that using the PHP SDK the access token is automatically appended to the api requests, which would explain why I have never encountered access tokens so far.
So my question is how do I get the user to give an extended access token when they sign in using the PHP SDK method getExtendedAccessToken()?
EDIT: A key point here is that you can't seem to get an extended access token for your own app! I tried this with one of my test users and it worked fine! Another point to note is that the access token tool will only show by default the access tokens for the person who actually developed the app. To see the specifics of the access token for other users you need to go to the debugger part and input the access token there. Hope this helps.
If you haven't seen any references to access tokens, they are most likely being stored in session variables. You could try adding echo "<pre>";print_r($_SESSION);exit(0); to your code to see what is stored in the session. You would add it somewhere after you have already been logged in.
If you are calling getExtendedAccessToken() from the PHP SDK, then the access token returned will automatically be long lived. To retrieve it after they are directed back to your site, you can use the getAccessToken() method. You would then store the returned value, and use it when you want to make calls later with setAccessToken($stored_token) .
Hope that helps.
links.getStats was working fine as simple REST call just few weeks ago, and right now it's failing... The reason is simple, it needs an ACCESS_TOKEN.
Of course, my application, which I use to stream some content to my wall, has an non expiring (offline usage) access token. But if I try to use this token with links.getStats I get this error: "Impersonated access tokens can only be used with the Graph API".
So my question would be: How could I get a valid ACCESS_TOKEN, that I could successfully call links.getStats?
Thanks!
We're tracking this issue internally. Here's the bug id: http://bugs.developers.facebook.net/show_bug.cgi?id=19470
The workaround solution is to use any user access token with the call. You're trying to use an app or page access token, which won't work. Go to https://developers.facebook.com/tools/explorer/ , get an access token for yourself, and tack that onto the call with &access_token=YOUR_ACCESS_TOKEN and it will work.