I need to get access to my user's information when they are offline and I understand that I need to use an extended access token which lasts 60 days. I have been looking at this SO post How to extend access token validity since offline_access deprecation and this says that I need to include the stated method in my base_facebook.php file and make a call to the method.
However, looking through my code there is no explicit request or use of access tokens anywhere so I'm unsure how to request an extended access token. This post Do I need to use access token in Facebook API? explains that using the PHP SDK the access token is automatically appended to the api requests, which would explain why I have never encountered access tokens so far.
So my question is how do I get the user to give an extended access token when they sign in using the PHP SDK method getExtendedAccessToken()?
EDIT: A key point here is that you can't seem to get an extended access token for your own app! I tried this with one of my test users and it worked fine! Another point to note is that the access token tool will only show by default the access tokens for the person who actually developed the app. To see the specifics of the access token for other users you need to go to the debugger part and input the access token there. Hope this helps.
If you haven't seen any references to access tokens, they are most likely being stored in session variables. You could try adding echo "<pre>";print_r($_SESSION);exit(0); to your code to see what is stored in the session. You would add it somewhere after you have already been logged in.
If you are calling getExtendedAccessToken() from the PHP SDK, then the access token returned will automatically be long lived. To retrieve it after they are directed back to your site, you can use the getAccessToken() method. You would then store the returned value, and use it when you want to make calls later with setAccessToken($stored_token) .
Hope that helps.
Related
I am trying to make a simple Instagram post bot where I can provide a url of an image and a caption and it will post. I currently have a working python script that, will generate long life token from a fixed exchange token (generated manually at the graph api tool webpage) and will will post an image given a url.
The problem is after a while (Less than a day) the token expires and I have to manually generate another.
I can successfully generate an app access token but I don't believe you can use an app access token for posting content. Is there a way to automatically generate a user token? pref without using something like chromedriver to mimic a browser for the token generation
Any help is appreciated.
First of all, I strongly recommend you to spend a few minutes reading the References on Access Tokens.
From there you can better understand the different types of Access Tokens.
Moving on.. Make sure you are using the correct endpoint to get that Long Lived Access Token (If your token is taking only a day to expire, means you aren't).
Use the Long Lived Access Token path with the token you generated via Graph API Explorer:
curl -i -X GET "https://graph.facebook.com/{graph-api-version}/oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={your-access-token}"
App's Access Token does not give you access to Content Publishing.
For that you need to use your User Token generated on the previous step.
Make sure the User have all the Permissions needed:
ads_management, business_management, instagram_basic, instagram_content_publish, pages_read_engagement.
The Graph API offers something called an appsecret_proof but how is it any less compromisable than the access token? It's the HMAC of the access token and the secret, so it's going to be the same for each API call anyway. Since both the appsecret_proof and the access code are needed for each API call, they could be sniffed together. So how does it make things more secure? What is the rationale?
Let´s say someone hacks your App and gets an Access Token of another User. Without appsecret_proof, he would be able to use the Access Token for something malicious. With appsecret_proof, the Access Token alone is useless for anyone who gets it. You can only use the Access Token with the generated appsecret_proof, so you would need the App Secret too - and the App Secret should only be used on the server anyway. It´s called "Secret" for a reason :)
More information: https://developers.facebook.com/docs/graph-api/securing-requests
Example: Extended Page Tokens are valid forever, so they usually get stored in a database. If some user gets access to one of those, he may be able to publish stuff to the Page wall (if the Token includes publish_actions). appsecret_proof makes sure you can only use the Page Token on your server with the App Secret. So the hacker would have to get the Page Token AND he would need to somehow get your App Secret too.
Interesting problem I'm having right now.
Signing in an App gives a access token looking something like this:
AAACwFsGcSr4BAOGUTwfuZAWuUcwZC0rJ7noZCKMqhBI7ivDCsIGqduGIZCus5PRaS6KuREqxLmhfvZAZAkz5WCpFfANtUpYHgZD
This access token can't access users PUBLIC information, while one issued by Facebook on developers.facebook.com - CAN.
You can easily test this by logging to your facebook and going to this link: http://developers.facebook.com/docs/reference/api/
You'll see that Facebook automatically generates access token on DEMO urls like this one:
https://graph.facebook.com/me/music
?access_token=2227470867|2.AQCvlA_ZaJ2MfRR0.3600.1318266000.0-100001572415177|2FeweU6ZvOQS9OCF5ZBV58_PtPg
If you would change /ME/ to any user which has his MUSIC posted as public, you WILL be able to access that data with Graph API.
Now try to get an access token to your APP and call the same Graph API method with generated access token, the returned data is empty JSON object.
Whats’ the difference between these access tokens? How to obtain access token, that I could get public information using Graph API?
I was thinking that logging in your APP is the highest possible access token and the only higher token is token with specified permissions...
Any guidelines would be great :)
http://developers.facebook.com/docs/reference/api/permissions/
I believe the difference is that you can specify additional permissions in a scope parameter,
so if you wanted to read a user's feed you would have to specify read_stream. I was trying to accomplish this with an access token from a server-side authentication flow in ruby, but the access token only allowed to me to navigate accross a certain portion of graph.facebook.com/user_id/feed? requests. If you get any insights or comes across a solution shoot it my way too, if you can.
links.getStats was working fine as simple REST call just few weeks ago, and right now it's failing... The reason is simple, it needs an ACCESS_TOKEN.
Of course, my application, which I use to stream some content to my wall, has an non expiring (offline usage) access token. But if I try to use this token with links.getStats I get this error: "Impersonated access tokens can only be used with the Graph API".
So my question would be: How could I get a valid ACCESS_TOKEN, that I could successfully call links.getStats?
Thanks!
We're tracking this issue internally. Here's the bug id: http://bugs.developers.facebook.net/show_bug.cgi?id=19470
The workaround solution is to use any user access token with the call. You're trying to use an app or page access token, which won't work. Go to https://developers.facebook.com/tools/explorer/ , get an access token for yourself, and tack that onto the call with &access_token=YOUR_ACCESS_TOKEN and it will work.
I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.