I'm trying to figure out a core concept in FB that even after reading a lot of FB documentation, couldn't understand.
Let's say I'm building an app (that will reside in a tab), in which I want to see the last post of a user. I want to do this approximately one month after the user approved my app, without him using the app again.
I assume I will need to use a long-lived expiration token that will be saved to my DB.
A month after I will run a procedure that will use this token and check the user posts.
Is this correct?
What about a situation in which the user logged out? The token is no longer valid.. does this mean I will never be able to access user posts unless he will access my app?
Isn't this a bit weird (since he already approved my app)?
Not necessarily.
Firstly, you need the read_stream permission from the user when they authenticate your app. Then, because you are intending to use Facebook as the app, rather than as the user, you need to authenticate as an app, which is a simple process:
In order to get an access token for the app, all you need to do is use the following URL:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
Because these tokens are time-limited, it may be easier to request a token each time you use the Graph API, rather than storing it in a database and waiting for it to expire.
Then, all you need to do is use the following request:
https://graph.facebook.com/USER_ID/feed?access_token=YOUR_ACCESS_TOKEN
The upside to this is that it does not matter whether or not the user is logged into Facebook.
See here for more details:
https://developers.facebook.com/docs/authentication/applications/
Related
So there's an app, let's say it's an app that is capable of delivering relevant news based on the user's choice done the first time he runs the app. Is there a way to post the news to the user's wall without having the user to be online and ideally as the app?
So on his/hers timeline it would look like this (edited image, not a real post from some app, it's just so you get what I mean):
When I use $facebook->api('/me', 'post'), it just creates a post as the user, which is not what I want and does not allow me to post when the user is not logged in.
You can use the server side authentication to get a long lived access token (60 days) which you can then use until the token times out. Then you'll need to have the user reengage with your app to get a new token.
You can get the same thing by using the client side authentication and then extending the token on the server side.
Another options which should work for you is to get an app access token (which does not expire) and ask the user for the publish_stream permission, then:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
As mentioned in this other question, if a user grants the publish_stream permission, I can publish to that user's wall using an app access_token. I tested that and it works. But I couldn't publish to the user's pages using the app access_token! Am I missing something?
Right now I use the /me/accounts/ connection to get the access_token of the pages, and use that to publish. But this is a huge headache for me and for users because these tokens expire often (when users change their password, ...et), and every time that happens the publish fails and I need to email the user to come login again so I can retrieve a new access_token for the page. It's a bad user experience and I'm trying to find a way around it. The app token works for publishing to users, which is great, but I couldn't find a way to make it work for pages. Any tips?
Edit:
To clarify further, I currently request the manage_pages and offline_access permissions, and then fetch the access_token of each page and use that to publish to it. That works. The main problem is that tokens expire, even with the offline_access permission. The most common reason a token would expire is if the user changes her password. Here is a common error that I get a lot when publishing to Facebook pages.
Facebook error. type: OAuthException, message: 'Error validating
access token: Session does not match current stored session. This may
be because the user changed the password since the time the session
was created or Facebook has changed the session for security reasons.'
To handle this, I email the user and ask them to visit our app again, and when they do I grab a fresh set of access_token to work with. But that's problematic because users are confused about why the error happened and blame us for it, and some users don't open their emails so the problem doesn't get solved and then they're angry later when they discover that our app had stopped weeks ago without them asking it to stop.
That's why I was hoping that I can publish with the app access_token to avoid these problems. Since it works for user profiles, I hoped it would work for pages as well. But so far no luck, unless I'm missing something obvious.
What you're describing used to work - all last year we were able to successfully post to fan page walls using the app access token. In fact, for some of our users, I see it still working. However, I think the other two answers are correct, this is no longer the way to post to pages (see "Page Login" here)
That said, you should be able to store the access token of the page to spare yourself the step of re-querying the users' linked accounts.
Unfortunately, the page's access token will suffer the same fragility as a user's, per the answer here: Facebook Page Access Tokens - Do these expire? . The page access token will expire when the user who gave you that access token changes their password.
To publish to pages, there is an extra step where you use their token to get a list of their pages. Each page has its own token, use that token to post to the page. Keep in mind that when setting up the original token, you need to specify that you need access to pages.
my app does exactly what you're after.
I request both manage_pages and offline_access permissions from a user.
I store the user's access_token.
I ask the user which page (determined by me/accounts) they want a stream item posted to and when.
Later, when it is time to publish to a page's feed, I grab the user's access_token from the database, the pageid, and the message.
Using that user's access token, I query the me/accounts and grab the latest access token for that account (aka page)
Using that page's access token, I me/feed (or is it me/posts...away from my codebase at the moment) post the stream item.
I'm working on a site that is trying to handle realtime feed updates from its users' Facebook accounts. I have the basic stuff in place: the app is subscribed to "feed", and the user's login asks for read_stream and offline_access (just in case) permissions. My test users have logged into FB and granted those permissions, and, when one of those users adds (or removes) a status update, the callback specified in my site's subscription is pinged. So far, all's well.
Now -- as I understand it -- my callback has to call up to Facebook to get the user's feed, so that the callback can do whatever it's going to do with it. That's where I'm having problems -- finding the right access token to retrieve the feed:
I've tried doing this with the app's access token. This token is able to retrieve friend information (also included in the app's subscription and user permissions), but it won't get me the feed.
I've tried all sorts of ways to get the user's access token from inside the callback, but nothing is working. I'm guessing this is because it's not "logged into Facebook" the way that a user in a browser can be, but whatever. Bottom line is I haven't found a way to get this token.
(BTW, if I cheat -- get an access token for the user from Graph API Explorer and hard-code it into the callback, the callback works properly. This is no real solution, of course, but it at least establishes that the rest of my code is working.)
So how does this work? Can the app access token be made to work somehow? Is there in fact a way for the callback to get an access token for an arbitrary authorized user? There's gotta be a way to do this, or there would be no point for realtime feed notifications. Any clues out there? This is SERIOUSLY kicking my butt... Thanks!
You might want to look into this. Instead of taking permission for offline access, facebook now gives short-lived access tokens (2 hours) when the user logs in. These can be exchanged with long-lived access tokens (2 months). Check out this article on how to go about it.
https://developers.facebook.com/roadmap/offline-access-removal/
I've found a solution, perhaps: When the user logs in, I snag their offline_access-enabled access token and save it in the app with the rest of the user's data. Then when I get notified of an update to that user's feed, I can pull the token from the database and pass it over to FB as the token part of the /feed... call. And, it works. There is no doubt some error handling to be done, but I am currently bouncing back and forth between thinking that (a) this is exactly the right way to handle this and (b) it's a terrible hack that is just asking for trouble. I guess I'll see which of these is the case...
Ask for offline_access (as you do) and store the access token. This is exactly why offline_access and access tokens are there, to make requests to facebook in the name of that user. (a) is the right way to go. (a) is the way I do it.
Good luck
When the user is authenticated via OAuth Facebook returns an access-token, but it is valid for few hours. The validity of this token comes with it as token-expiry.
However, this token can be exchanged with a new extended token which is valid for around 60 days. User the following code to get new-token:
URL url=new URL("https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id="+appId+"&client_secret="+clientSecretId+"&fb_exchange_token="+fb_exchange_token;
InputStream Istream=url.openConnection().getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(Istream));
String new_token= br.readLine();
Hope it helps!!
I have been asked to look into whether or not I can retrieve a Facebook access token from Facebook if the user had granted permission in an earlier session. The problem is that our business logic tier is maintained by a different group and is on a different release schedule from the web development group. If I were to gain an offline access token, I might not be able to store it for up to two months. For any users acquired in the meantime, is there a way that I can retrieve the token from facebook without further intervention from the user?
I would think that this might be a security hole, but one of our senior developers thinks that it is likely that facebook offers such a feature.
Thanks,
Rob
In short No.
But with the offline access request being complete.
You can request a new token without any user clicking.
You just get a new offline access token and use that. The same way as if you didn't request offline access, and the access token had expired, it doesn't explicitly say but it does work:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
http://developers.facebook.com/docs/authentication/
That way you don't have to store them at all.
Unless you actually want to perform actions when the user is not using your Application.
You'll get the access_token every time the user logs back in, offline_access or not !
You can get it in JS with FB.getAccessToken();
There is no way to retrieve (offline) access token, when the user is not actually logged in.
If you want to store the access token for a long period of time, you will be required to ask for the offline_access permission, otherwise the access token will only last a short period of time. Either way, it is best to store it in a cookie or locally as it will certainly improve your app's latency. But make sure to check its validity as often as possible.
I think the access_token means, you have the permission to do things on behalf of the user. If you must do something without user FB login, you need the offline access_token. But be careful, the offline access_token will be ignored, when the user change his/her FB password, or delete the application.
So I hope there isn't any way to get another access_token without the user permission. I think the easiest way to check the access_token to make a /me?access_token= GET request, and check the answer. If the answer is an error, the access_token not working, you have to renew it.
To get access_token from somebody in the middle of the flow is a little pain. But you can also put variables to the redirect link.
Example:
https://graph.facebook.com/oauth/authorize?client_id=API_KEY&scope=email$redirect_uri=YOUR_REGISTERED_APP_URL%3F$param
$param could be a flow info like: flow=12342323
So when your user come back the $_GET['flow'] will be 12342323.
I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.