User Data from Facebook WITHOUT SDK - facebook

I have the access token from the user, and I want to retrive the data from their profile. I am working on Unity3D c# therefore I can not use any SDK.
Is there a way of getting it trough a graph request?
I've already tried with
https://graph.facebook.com/me?access_token=00000000000000|AAAAAAAAAAAAAAA
but throws me an error like this..
"message": "An active access token must be used to query information about the current user.",
When I ask for permissions I ask the user to allow me the publish_stream and to access profile data.
How do I get an active access token? I just want the UserID.
Thanks for your answers, and sorry for my terrible english.

So I wanted ti get the User UserAgent Token the only thing that you must do is add that parameter to the Access URL in my case
https://graph.facebook.com/oauth/authorize?type=user_agent&client_id=000000000000000&redirect_uri=http://yourRedirectdomain.com&scope=user_photos,email,user_birthday,offline_access,plublish_stream
Facebook will redirect you to the redirect_uri URL, and the access token will be given in form of a hash. Extra Tip: Yo have to access the Hashed token vía Javascript,
var hash = document.location.hash;
var n=hash.split("=");
This is one method, Im sure there is a better one.
Thank everybody for the answers!

you're Graph Call / HTTP request looks about right.
I'm guessing, based on the error, that the access token has expired.
Normally, they last for about 1-2 hours since the last time they were used. (If i recall correctly). So, a user will start using a website, and the website can make graph calls with the access token while the user is actually using the website for that session, but the token will expire soon after that.
However, you can also ask Facebook for a longer lasting access_token, which will last for approximately 60 days.
Check here for some info :: http://developers.facebook.com/roadmap/offline-access-removal/
As it stands, trying to find this info through browsing the developer docs in Facebook is rather difficult, if not impossible. :-/

You can’t query the API for /me with an app access token, since the API has no way of knowing who “me” is supposed to be.
Only user access tokens contain the info which user id they apply to, and hence only those can be used to query /me successfully.

Related

How to get and use Graph User Access Token for use in personal scripts?

I have written a Python script that makes some statistics for me and a couple of friends based on our posts and comments in them. I've been using it by getting a temporary token in Graph Explorer and copying it to the script before running it. So far I've been able to access friends' posts with API 1.0 (and for some time with 2.0, I assume that was a bug) but now the 1.0 API is getting closed and I'm running into an issue - while some of the /post requests are still accessible to me, many return an "Unsupported get request" error. I can only assume that I can't access these anymore unless I'm using their User Access Token.
I'm not sure what I can do now:
ask them to use Graph Explorer to provide me a temporary token. It works, is pretty secure with default permissions but I would have to do it every time I wanted to update the data.
make some sort of dummy app that they will log into once. I don't know if that violates any rules and if it will be removed immidetaly, I hope not. But I have no idea how to extract the user access token out of the app so I can use it in the script.
What's the "correct" way of doing this?
If the App is only for a specific group of people, it should be no problem. Just add your friends as Tester in the App so they can authorize it with the read_stream permission. Else you would need to go through a review process, and Facebook usually does not approve read_stream.
You don´t really need to handle the Access Token, just use the JavaScript SDK and read the stream of your friends whenever they visit your App.
Btw, you can get the Access Token in the callback response of FB.login. But it will only be valid for 2 hours, you can extend it to 60 days though. More information about extending Access Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens
Easy solution: Create an entry page where your friends (who are Testers in the App) can authorize with read_stream. Right after authorization or refreshing the Token with FB.getLoginStatus, read their posts and store them.
Here´s some code to get you started on that entry page: http://www.devils-heaven.com/facebook-javascript-sdk-login/
...of course you can also just let your friends generated the Access Token manually. Information about that can be found in the Facebook docs (see Link above) or (for example) here: http://www.devils-heaven.com/facebook-access-tokens/ - they can then give you the Token, it will be valid for 60 days if it´s an extended one, or only 2 hours if it´s a default User Token.

facebook graph and access token

when I do a get request to
https://graph.facebook.com/[userid]
with the access_token i get all the basic info
but when I do
https://graph.facebook.com/me
with the same token i get an error message: An active access token must be used to query information about the current user
I have tried to under stand what can cause that.
I even tried to token that comes with the signed request
I'm on classic asp, with JSON library, I want the auto to be server side if possible. the FB.api("/me" is working but it is not what i really want to achive
I am pretty sure you don´t have a user access token. Did you login the user? Of course you get the public data of every user with your first link, even without any access token. You can even put it directly in the browser and will get results. But for "/me" you have to authorize the user to your app.
See here: https://developers.facebook.com/docs/howtos/login/server-side-login/
It is the same problem as in the other thread for sure, just a different Programming language.
Remember: If the user did not accept at least the basic permissions in a dialog or redirect, he is not logged in and you will never know anything about him in the app (except for some specifics in tab apps, like language, like-status and stuff).

how do you handle realtime feed updates?

I'm working on a site that is trying to handle realtime feed updates from its users' Facebook accounts. I have the basic stuff in place: the app is subscribed to "feed", and the user's login asks for read_stream and offline_access (just in case) permissions. My test users have logged into FB and granted those permissions, and, when one of those users adds (or removes) a status update, the callback specified in my site's subscription is pinged. So far, all's well.
Now -- as I understand it -- my callback has to call up to Facebook to get the user's feed, so that the callback can do whatever it's going to do with it. That's where I'm having problems -- finding the right access token to retrieve the feed:
I've tried doing this with the app's access token. This token is able to retrieve friend information (also included in the app's subscription and user permissions), but it won't get me the feed.
I've tried all sorts of ways to get the user's access token from inside the callback, but nothing is working. I'm guessing this is because it's not "logged into Facebook" the way that a user in a browser can be, but whatever. Bottom line is I haven't found a way to get this token.
(BTW, if I cheat -- get an access token for the user from Graph API Explorer and hard-code it into the callback, the callback works properly. This is no real solution, of course, but it at least establishes that the rest of my code is working.)
So how does this work? Can the app access token be made to work somehow? Is there in fact a way for the callback to get an access token for an arbitrary authorized user? There's gotta be a way to do this, or there would be no point for realtime feed notifications. Any clues out there? This is SERIOUSLY kicking my butt... Thanks!
You might want to look into this. Instead of taking permission for offline access, facebook now gives short-lived access tokens (2 hours) when the user logs in. These can be exchanged with long-lived access tokens (2 months). Check out this article on how to go about it.
https://developers.facebook.com/roadmap/offline-access-removal/
I've found a solution, perhaps: When the user logs in, I snag their offline_access-enabled access token and save it in the app with the rest of the user's data. Then when I get notified of an update to that user's feed, I can pull the token from the database and pass it over to FB as the token part of the /feed... call. And, it works. There is no doubt some error handling to be done, but I am currently bouncing back and forth between thinking that (a) this is exactly the right way to handle this and (b) it's a terrible hack that is just asking for trouble. I guess I'll see which of these is the case...
Ask for offline_access (as you do) and store the access token. This is exactly why offline_access and access tokens are there, to make requests to facebook in the name of that user. (a) is the right way to go. (a) is the way I do it.
Good luck
When the user is authenticated via OAuth Facebook returns an access-token, but it is valid for few hours. The validity of this token comes with it as token-expiry.
However, this token can be exchanged with a new extended token which is valid for around 60 days. User the following code to get new-token:
URL url=new URL("https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id="+appId+"&client_secret="+clientSecretId+"&fb_exchange_token="+fb_exchange_token;
InputStream Istream=url.openConnection().getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(Istream));
String new_token= br.readLine();
Hope it helps!!

Getting and storing access tokens using base_facebook.php and facebook.php?

Using the above libraries, I can get the details of a user, his authorisation, his friends, but only once: I need to store the access_token and key in database, so the user can access his friends walls or other public details.
Can anyone help?
(I have used OAuth for Twitter and Tumblr, but I can't get it for FB).
https://developers.facebook.com/docs/authentication/
Be careful with saving the token. When not requesting all-time permission, it expires in a certain time (what might be your problem)
When using a canvas app (the ones integrated in apps.facebook.com) requesting another token is quite simple. Facebook posts a signed_request parameter to your app whenever a user accesses it (https://developers.facebook.com/docs/authentication/signed_request/).
Decode it, pass it to the Graph API, profit.
if you need a generic access_token without a login... you can use $appID ."|". $secKey
this is called a APP access token, so it would be logged in as the "Application" not a user
!!! make sure you use this on https://graph.facebook.com/ !!!
hints the "https://" for secure SSL connection
but the API already determines this.

Decrypt OAuth 2.0 access token

Is it possible to decrypt Facebook's new OAuth 2.0 access_token ?
I need to somehow get user_id and app_id from the access_token.
PS:
I need to get the user_id and app_id ONLY from the access_token as Facebook Linter used to do.
As others have already pointed out, the access_token is a unique random string, so it cannot be decrypted as such. Also, we all know that the user_id and app_id are prerequesites to generate the token in the first place.
However, let's assume you stored your token(s) in a database and lost the associated user_id and app_id. In that case, it is a valid question on how to retrieve them having only the token at hand. If your token is still valid, this is possible. If it is expired, you're out of luck.
To retrieve the user_id, make a call to:
https://graph.facebook.com/me?fields=id&access_token=xxx
To retrieve the app_id, make a call to:
https://graph.facebook.com/app?fields=id&access_token=xxx
In both cases, the associated id's will be part of the JSON response, regardless of the access_token being an encrypted or unencrypted one.
Let's illustrate this with an example. Let's assume Mark Zuckerberg uses the Graph API Explorer to generate an access_token. Calling the /me endpoint gives you:
{
"id": "68310606562"
}
and calling the /app endpoint gives you:
{
"id": "145634995501895"
}
The ids you were looking for are part of the response.
Please note that this does not work with the access_token shown on https://developers.facebook.com/apps (not sure if this is a Facebook mistake or intentional). Please use the access_token that your app receives via OAuth.
If the access token is in the encrypted format, there's no programmatic way to determine the User ID and App ID.
I struggle to think of a legitimate way you could have come across an access token without already having those two pieces of information since presumably you know your own App ID and the User ID you stored the access token against.
Nevertheless, assuming there's a legitimate use-case for this:
a call to /me?fields=id will return the user ID and/or you can use the debug tool at https://developers.facebook.com/tools/debug to debug the other properties of the access token
Generally you use the access_token to access other data from your application. So for example, your application would authenticate the user then use the access token to access other functions in FB's API, such as the graph:
https://graph.facebook.com/me?access_token=<access_token>
There is no public way of decrypting an access token to get the user id and app id. This is also very likely a massive breach of Facebook policy.
To get an access token in the first place you have to have access to the user and the app id anyway so you shouldn't need to do this. If you don't actually have access to the user or the app id then my guess would be you probably shouldn't even have their access token and have probably obtained it 'illegally'...
This is actually a very simple task, if you look closely at the access token itself. It consists of 3 segments, separated by a pipe character, |:
APP_ID|SOME_STUFF.NUMBER-USERID|SOME_MORE_STUFF
I'm not sure what SOME_STUFF, NUMBER, and SOME_MORE_STUFF are; presumably timestamps, signatures, or other encoded data that facebook uses to keep track of the access_token's validity and so on.
Unless you've obtained the acces_token in question by fowl means, I don't see a problem with being able to access the APP_ID and USER_ID from them (and neither does Facebook, apparently). So all I'll say on that is be responsible :)
The other thing to keep in mind is that this isn't a standard or anything, and is subject to change. So, watch out for that, too.
you don't have to decrypt accesstoken
As far as AppID is concerned,you should get it from facebook whn you make an app there,its your id to connect to facebook.
facebook sends the userId along with accesstoken..
just check your cookies in browser or in oauth case check entire string returned when request for acess token.
Are you sure you're talking about the Access Token here and not the signed request?
When you're Facebook Application is loaded you have a signed request object, which has the information I believe you are looking for (however if the user has not authorized your application their user ID will not be in the signed request, Facebook security)
The only way currently available is to use to Facebook Access Token Lint Tool.
You can consider to automate the process.