My scenario is somewhat like this: A user logs into my website with his FB credentials. I capture his ID and the FB access token (say, a long-lived access token). He exits my website, and returns back later. However, this time, his browser has FB open with a different ID. Would I be able to load facebook details of this old id (with which he had registered on my site) using the stored access tokens? Is it possible, or would it result in a clash between the old and the existing FB id?
Correct me if I'm wrong, but he/she should stay logged into your website, regaurdless if his authID changes.
First of all, why would you want to do that? Since Facebook does not allow multiple user accounts for one and the same person, the only case where this would normally come into play is when another user is using my computer/browser – and why would I want you to read my info while that other person is using my device …?
Second of all, as long as the first user is still considered logged in to your site, it makes not much difference. But lets say some client-side method is called that updates the cookie information, then that’s where trouble might start. You might still be able to read the old user’s info, since you have his valid access token – but you’d have to use that token in your requests explicitly, and also address the account specifically, since the Graph API’s /me would point to the new user.
But as I said, I can hardly imagine a real, practical use case here …
Related
Am I allowed to create an app that only invited people can join?
Or do all apps have to be open to everyone?
You can have a white list for people who are allowed to use your app in your database and ignore any request for other people.
EDIT:
As per the question in the comment section, I will give you more details. I have not quite done exactly this, but I can guarantee you this is possible. I have a website, linked to Facebook and people can log in to the site using Facebook. In my database I am storing the Facebook ID and the Facebook user access token. When a user clicks on the login with Facebook, his Facebook user access token is checked against the database. If the Facebook user access token (which works like a temporary password) expires, it is renewed. However, people are identified by their Facebook ID. I could easily have a white list for Facebook IDs and allow access only for people whose Facebook ID can be found in the database. My project strategy is to get as many users as possible, but I could easily modify this to restrict access for not verified people. Your problem with consistent login probably lies in the fact that the Facebook user access token expires in a few hours. However, that problem is solvable:
if the user has modified his Facebook password, or has not connected to the app, then he will be asked by Facebook for permissions
if the user is no longer logged in, then he will have to log in
if the user's Facebook user access token has expired, then you should generate a new Facebook user access token
finally, you can generate long-term Facebook user access tokens, which last for months.
Read the documentation for details, but keep in mind that things might have been changed at Facebook since the documentation was written, therefore you should not believe everything written there, but should rather test the validity of the most important statements.
I'm trying to figure out a core concept in FB that even after reading a lot of FB documentation, couldn't understand.
Let's say I'm building an app (that will reside in a tab), in which I want to see the last post of a user. I want to do this approximately one month after the user approved my app, without him using the app again.
I assume I will need to use a long-lived expiration token that will be saved to my DB.
A month after I will run a procedure that will use this token and check the user posts.
Is this correct?
What about a situation in which the user logged out? The token is no longer valid.. does this mean I will never be able to access user posts unless he will access my app?
Isn't this a bit weird (since he already approved my app)?
Not necessarily.
Firstly, you need the read_stream permission from the user when they authenticate your app. Then, because you are intending to use Facebook as the app, rather than as the user, you need to authenticate as an app, which is a simple process:
In order to get an access token for the app, all you need to do is use the following URL:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
Because these tokens are time-limited, it may be easier to request a token each time you use the Graph API, rather than storing it in a database and waiting for it to expire.
Then, all you need to do is use the following request:
https://graph.facebook.com/USER_ID/feed?access_token=YOUR_ACCESS_TOKEN
The upside to this is that it does not matter whether or not the user is logged into Facebook.
See here for more details:
https://developers.facebook.com/docs/authentication/applications/
I'm aware that there are many questions about Facebook access-tokens and the grief they cause, but despite much experimentation and reading many frustratingly vague blog articles (FB and otherwise), I'm still struggling to get a clear answer to my needs. Let me succinctly break down my process so far:
I am creating a site that, server-side, needs to pull the posts/statuses from a single Facebook Page
I am an admin of that Facebook Page
I have created a Facebook App
Using the Facebook Graph API Explorer, I've generated a short-lived key, connected to my app and my account, that grants permission to my account to view the access-tokens for my pages
I've converted my short-lived key to a long-lived key (60 days) ala scenario 4 from this
And here's where I am stuck. My 60 day key works fine for my server to pull the info needed from the page, but as far I can tell, there's no way to programmatically extend that 60 day key. I also do not know of a way to generate a new short-lived key without manually going to the Facebook Graph API Explorer and creating one.
Since it is my server making the requests to the Facebook API and not a user-based system (where I could easily request that a user authorize the Facebook app again), this creates a very clunky system. Since Facebook deprecated offline_access, is there really no permanent way to have my server pull info from my own page? Will I really have to create a new key by hand and manually update my server with it every 60 days?
Or is there something I'm missing?
Update:
The step-by-step guide that was previously found here has been migrated down into its own answer.
These are the steps that were previously in the question - they have been migrated to this answer.
Having found that it is possible to generate a Facebook Page Access Token that does not expire (with help from #Igy), here is a clear, step-by-step quide for all those looking to the same:
Make sure you are the admin of the FB page you wish to pull info from
Create a FB App (should be with the same user account that is the page admin)
Head over to the Facebook Graph API Explorer
On the top right, select the FB App you created from the "Application" drop down list
Click "Get Access Token"
Make sure you add the manage_pages permission
Convert this short-lived access token into a long-lived one by making this Graph API call:
https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
Grab the new long-lived access token returned back
Make a Graph API call to see your accounts using the new long-lived access token: https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
Grab the access_token for the page you'll be pulling info from
Lint the token to see that it is set to Expires: Never!
That should do it. You should now have a Facebook Page Access Token that doesn't expire, unless:
You change your Facebook account password
You lose admin access for the target page
You delete or de-authorize your Facebook App
Any of these will cause the access token to become invalid.
If you are getting (#100) Tried accessing nonexisting field (accounts) on node type (Page), go to the Access Token Debugger, copy the value of User ID, and use it to replace the "me" part of the URL in step 9.
This is covered in the Offline Access deprecation document
Use the 60-day token for the page admin to retrieve a Page Access Token (via /PAGE_ID?fields=access_token or /me/accounts) - the Page access token will not have an expiry time
An approach that works in 2019
I was recently trying to achieve something similar (to the use case described in this thread), but I wanted to make sure to respect Facebook's current policies, so I did a little research and here I'm sharing what I found.
My use case
So, as I said already, my use case is very similar to the one described here; that is:
I'm doing some work for a school district.
They are using a software tool to manage pretty much everything that relates to school transportation.
That tool allows them to send email notifications (to subscribers) when they publish bus delay alerts and school closure alerts.
A lot of people in the community follow the organization on their Facebook page, and that's the only place they look for those alerts.
So an employee of the organization has to manually publish each notification on the Facebook page (in addition to creating it in the transportation software). Moreover, those notifications eventually expire (or are simply deleted before they expire), so the employee has to go back later on to delete them manually as well.
It's a waist of time, so what we are trying to do here is to develop as simple system that periodically polls the software tool's database for new (and expired) notifications and update them (i.e. add and remove) on the Facebook page.
This is, in my view, a legitimate use case, but I wasn't sure how to implement it in a way that's in line with Facebook's policies.
The accepted answer
I followed the steps of the accepted answer and it worked, except that things appear to have changed: now, even though the generated page token does not expire, access to data does expire after around 60 days. You will see that as well if you follow the procedure and inspect the page token in the FB Token Debugger Tool.
Besides, the fact that the generated page tokens are tied to the user account is also unfortunate, because if the user updates his/her password, then the page token also gets invalidated.
How to do it in 2019
After several hours of research, I stumbled upon the following Facebook documentation article: Business Login for Direct Businesses.
It turns out that it is now possible, following the steps described in the above article, to generate a page token that is not associated to any particular Facebook user account and which will not expire (unless the FB App gets deleted or the underlying application token gets deleted, you know...)
So here are the steps and the most important parts:
You need a Business Manager account.
Verification will be required and a digital contract will have to be signed.
You need to add the target Facebook page to that account.
You need to create a Facebook App, and transfer that app to the same Business Manager account as well.
The app will have to go through Facebook's review process, because the following permissions will be needed: manage_pages and publish_pages.
Important note For the posts made using the generate page token to be visible to users other than the application administrators, that app will need to have been published and approved.
You may still experiment with the concept without submitting for review, but the posts won't be publicly visible.
In the Business Manager account (only after your app and page have been added to the account), you need to create what's called a System User, and give that user admin role (or permissions) to the target Facebook page.
A system user is owned by the Business Manager account, and isn't tied to a specific user. My current understanding is that one major use case for a system user is programmatic access to Facebook's Graph API (just what we need).
Then, for that system user, you need to generate a access token (which will be never-expiring). You will be prompted to select for which app. You will then select your target app.
You will then need to use the generated app token to generate a page token, which will also be never-expiring. The procedure is described in this article as:
GET /<PAGE_ID>?fields=access_token&access_token=<SYSTEM_USER_ACCESS_TOKEN>
That's it.
That token will never expire, and it won't be tied to a particular Facebook user, so it's exactly what we need!
The last part is to make sure that your Facebook app gets approved by Facebook. It's in fact the most important part, because the whole procedure is worthless if people don't see our posts.
I wanted to know for sure that I could rely on the above procedure to build something for my client without Facebook rejecting it in the end, so, beforehand (i.e. before starting to work on my client's project), I went through the whole process of creating a page, an app, a Business Manager account, etc. I verified my business. I submitted my app for review. In my request, I was very specific about my use case and emphasized that the app was for "self-use" (i.e. that the organization is developing an app for itself, not for other Facebook users). I got approved without less than 24 hours.
A few other notes about the app review process:
I had to select a platform for the app, so I selected website.
I had to indicate why the app needed the two permissions and how it was going to use them.
I had to indicate why the reviewer would not be able to sign into my app and try it (i.e. because the app will be used by a worker process).
For the mandatory screencasts, I simply presented manual operations in the terminal using the curl utility (to generate the page token and make posts to the Facebook page). I also showed how I was using Business Manager to link the system user to the page and generate a token, and so on.
Again, I was very specific about my use case, and I think that that helped.
I hope this information will be useful to people with similar use cases.
Many thanks to #redhotvengeance for step-by-step guide.
After some time, now there is clearly described in Facebook documentation:
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
Extending Page Access Tokens
Apps can retrieve a page access token from Page admin users when they
authenticate with the manage_pages permission. If the user access
token used to retrieve this page access token is short-lived, the page
access token will also be short-lived.
To get a longer-lived page access token, exchange the User access
token for a long-lived one, as above, and then request the Page access
token. The resulting page access token will not have any expiry time.
You can also copy and past from the app dashboard on facebook.
The steps:
Go to https://developers.facebook.com
Select your app in the top right corner of the page
(pic of what it looks like)
Click on Messenger from the options on the left (it will go to setting automatically) (pic of what it looks like)
Go to the "Token Generation" section in the page. Select what page you want to generate the token for. (pic of what that section looks like)
The copy and past your page token where ever you need it.
Keep in mind that while in theory your token won't expire, that it is directly tied to what ever facebook account your logged into. So say you change your password or you remove the permissions from between your account and your app then your token won't be valid any more.
I'm working on a site that is trying to handle realtime feed updates from its users' Facebook accounts. I have the basic stuff in place: the app is subscribed to "feed", and the user's login asks for read_stream and offline_access (just in case) permissions. My test users have logged into FB and granted those permissions, and, when one of those users adds (or removes) a status update, the callback specified in my site's subscription is pinged. So far, all's well.
Now -- as I understand it -- my callback has to call up to Facebook to get the user's feed, so that the callback can do whatever it's going to do with it. That's where I'm having problems -- finding the right access token to retrieve the feed:
I've tried doing this with the app's access token. This token is able to retrieve friend information (also included in the app's subscription and user permissions), but it won't get me the feed.
I've tried all sorts of ways to get the user's access token from inside the callback, but nothing is working. I'm guessing this is because it's not "logged into Facebook" the way that a user in a browser can be, but whatever. Bottom line is I haven't found a way to get this token.
(BTW, if I cheat -- get an access token for the user from Graph API Explorer and hard-code it into the callback, the callback works properly. This is no real solution, of course, but it at least establishes that the rest of my code is working.)
So how does this work? Can the app access token be made to work somehow? Is there in fact a way for the callback to get an access token for an arbitrary authorized user? There's gotta be a way to do this, or there would be no point for realtime feed notifications. Any clues out there? This is SERIOUSLY kicking my butt... Thanks!
You might want to look into this. Instead of taking permission for offline access, facebook now gives short-lived access tokens (2 hours) when the user logs in. These can be exchanged with long-lived access tokens (2 months). Check out this article on how to go about it.
https://developers.facebook.com/roadmap/offline-access-removal/
I've found a solution, perhaps: When the user logs in, I snag their offline_access-enabled access token and save it in the app with the rest of the user's data. Then when I get notified of an update to that user's feed, I can pull the token from the database and pass it over to FB as the token part of the /feed... call. And, it works. There is no doubt some error handling to be done, but I am currently bouncing back and forth between thinking that (a) this is exactly the right way to handle this and (b) it's a terrible hack that is just asking for trouble. I guess I'll see which of these is the case...
Ask for offline_access (as you do) and store the access token. This is exactly why offline_access and access tokens are there, to make requests to facebook in the name of that user. (a) is the right way to go. (a) is the way I do it.
Good luck
When the user is authenticated via OAuth Facebook returns an access-token, but it is valid for few hours. The validity of this token comes with it as token-expiry.
However, this token can be exchanged with a new extended token which is valid for around 60 days. User the following code to get new-token:
URL url=new URL("https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id="+appId+"&client_secret="+clientSecretId+"&fb_exchange_token="+fb_exchange_token;
InputStream Istream=url.openConnection().getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(Istream));
String new_token= br.readLine();
Hope it helps!!
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.