How do you remove access to a Facebook app based on the client_id it used?
E.g. assuming someone clicks on a link that looks like this:
https://www.facebook.com/dialog/oauth?client_id=client_id_string&redirect_uri=
https://www.facebook.com/connect/login_success.html&scope=basic_info,email,public_profile,
user_about_me,user_activities,user_birthday,user_education_history,user_friends,
user_interests,user_likes,user_location,user_photos,user_relationship_details&
response_type=token
and all they have is the client_id_string how do they then revoke access via Facebook?
https://developers.facebook.com/docs/graph-api/reference/user/permissions
See "Revoking Permissions" in the docs. You canĀ“t remove the App itself, but you can remove permissions.
You can revoke a specific permission by making a call to a Graph API
endpoint:
DELETE /{user-id}/permissions/{permission-name}
This request must be made with a user access token or an app access
token for the current app. If the request is successful, you will
receive a response of true.
I've found in documentation that it is possible to use appId and appSecret pair as access_token in the format "appId|appSecret".
The problem, when I'm using this technique with graph API, I don't receive the full information, only some of the fields (permissions are set in the app settings). When I'm trying to use it with FQL I get "A user access token is required to request this resource." exception.
Could somebody route me on the right track how to perform API requests?
My application is running on the server-side, that's why I've chosen these method.
E.g.
When I run GET request on https://graph.facebook.com/me/friends?fields=name&access_token="app_id|app_secret" I get correct response. But when I run https://graph.facebook.com/me/friends?fields=name,notes&access_token="app_id|app_secret" the query returns only friends id's and names. It's worth to mention, that I user has granted access to "notes" for that application.
I think this because this kind of access token can replace the app token, but not the user token.
And with the app token, you can:
This can be used to modify the parameters of your app, create and manage test users, or read your application's insights. App access tokens can also be used to publish content to Facebook on behalf of a person who has granted an open graph publishing permission to your application.
It means that with this kind of token, you don't have any special permission, so your request cannot work.
What you could do is send the user access_token to your server and then use this token to perform the API request.
Let's suppose there is a website which wants to post on Facebook in the users' name. First, when the user is linked to Facebook, he will have an access token and read access so he can log in with Facebook to the website, for instance. On a given event, the user will have write access on Facebook with the access token.
After a while, the Facebook access token expires (as it seems, but if there is a way to create Facebook access tokens which will never expire I would be glad to hear about), so on the website whenever a post to Facebook is about to be made, a request has to be sent to Facebook to check the validity of the access token. If the access token is invalid, then a redirect is needed to Facebook where a new access token is generated, then Facebook redirects back to the page.
I think there are no permanent Facebook access tokens. If there are permanent Facebook access tokens, how can one create them?
If a Facebook access token expires, is there any other solution to the problem than redirecting to Facebook for access token generation and redirecting back?
EDIT:
Here: https://developers.facebook.com/docs/opengraph/howtos/publishing-with-app-token/
I have read the section with the title of "Making API Calls to Publish with an App Access Token".
It states that I need the user's FacebookID and the publish_action privilege granted by the user to be able to post in their name on Facebook. However, I am puzzled about the way I can get the user's FacebookID and how the user grants the website publish_action privilege. Also, this section mentions that
"You will be unable to retrieve information about the status update post with the given ID using the app access token. Instead, you should use a user access token for such purposes."
I do not really understand what information is impossible to be retrieved with this possibility. I do not really understand the cause of inferiority of this strategy compared to the strategy with access tokens.
The short answer is yes, you have to redirect to Facebook (or use the Javascript SDK) to get FB to give you a new access token. If the user is already logged in to Facebook and hasn't deleted your application, then the process will be mostly invisible to your user.
You can, however, extend the length of time you're allowed to use your access token from 1-2 hours to a much longer period (I can't find the time reference, but I seem to remember it being a 3-6 month period). You can read about that process in the Access Tokens Documentation.
edit
First, you have to understand the difference between an App access token and a User access token. An app access token is a very simple token that facebook uses to verify that your app is making a request that you intended it to make. Your app access token consists of your app id and your app secret as a string and separated by a | character. This token doesn't grant you access to any user information, and isn't really usable for a whole lot of things (it's basically used for the authentication methods to ensure that when you request the token, the request is coming from you and not some 3rd party masquerading as you). Though, like you found above - you can also use it to make posts to the user's feed, providing they gave you access.
A user access token identifies an actual user, and their session, to your application. The user access token typically lasts a couple of hours and then expires. You can exchange this token for an extended access token which as I stated above, I believe to last for several months.
A user token (either the temporal 1-2 hour version, or the extended version) allows you to access the FB graph API as the user to which the user belongs. So, using these tokens you can access the user's friend list, photos, likes, interests, etc (presuming you requested permission to do so upon application install). You can check which permissions you have by using the user access token and making a request to /me/permissions on the graph api.
The Javascript SDK is unique, as it doesn't require you to redirect your user away from your application. The JS SDK allows you to use a pop-up to allow the user to authenticate with facebook, install your application, or to allow (or deny) permissions that you are requesting.
The FB.login method takes 2 parameters. Parameter 1 is the callback which is executed after the user responds to your authentication prompt (either by accepting or rejecting your application install request). Parameter 2 is for options which are passed as a javascript object, the only one of which you care about here is the scope parameter. The scope parameter is the way you ask for extended permissions (such as publish_action) so in order to acquire the publish stream permission from a user you use code that looks like this
<script type="text/javascript">
FB.login(function(response)
{
//check to see if they accepted or rejected, and do something
}, { scope: "publish_action });
</script>
Once the user accepts, any subsequent calls to the FB JS SDK will automatically include your user's access token, you don't have to manage it yourself. You can make calls to the graph API on behalf of the user without having to explicitly specify the user's user id - you can just reference them as me. So, for example, you could publish to your user's feed via the JS SDK like so:
<script type="text/javascript">
FB.api('/me/feed', 'post', { message: 'test!' }, function(response)
{
//do things
});
</script>
However, if you'd rather make calls to the Graph API from your server on behalf of the user to publish to their feed (or your needs require you to do so), you'll have to store the user's FB User ID along with your user data so you can access it later. That User ID is available in the argument that is passed to the FB.login callback (response.authResponse.userID). Once you store that, you'll be able to make Graph API calls on behalf of your user from your server simply by POSTing to /<user_id>/feed with the appropriate data:
$ curl -d "message=test&access_token=<app_access_token>" /<user_id>/feed
Finally, re-authenticating your user. THE FB JS SDK exposes 3 methods for authentication.
FB.getAuthResponse
FB.getLoginStatus
FB.login
The primary difference between FB.getAuthResponse and FB.getLoginStatus is that getAuthResponse waits for a response from Facebook before any further javascript is called (it's blocking, or synchronous). FB.getLoginStatus will allow other javascript to run and will call your supplied callback when it gets a response, allowing you to do other things while you wait for a response. Either of these methods can be used to determine if your user is currently logged in to Facebook and if the user has your application installed. You can then use FB.login (if they're not logged in to FB, or not users of your app) to prompt them to login, or install, so you can access their information. Both of these methods pass you back the user's access token if they're installed and have authorized your app (response.authResponse.accessToken).
FB.login does a check for the login status of the user, but it always will pop up a login/install dialog, regardless of the status (and if they're logged in/installed, it will hide the pop-up immediately). The FB.login method is also used if you need to request additional permissions from the user (Say you just get a "vanilla" install at first, and then later the user says they want you to post to their feed. When they initiate that option, you can then request the extended permission from them). In order to utilize that functionality, you use FB.login just as you would if they were a new user, except you add the extended permissions that you want/need in the scope property of the options variable you pass as the 2nd argument.
tl;dr
Use FB.getAuthResponse or FB.getLoginStatus to determine if your user is logged in and has your application installed. These methods can also be used to fetch new access tokens as your user is using your application.
Use FB.login to get new/unauthenticated users to install your application.
Once your user logs in, fetch their user id and store it your database somewhere. This can be used to post on their behalf with your app access token once you acquire the publish_action permission from the user
If you want to store a long-lived user access token to access the user's profile and other information, later, use the link above for exchanging your user access token for an extended access token. This is a server-side process, and you can store the resulting access token in your database with the user's other credentials.
Sorry this so long and wordy - I just wanted to provide you with some solid information about access tokens, how they're used, and how to use the JS SDK to maintain them. Hope this helps.
I've developed a Facebookapp that has the "user_photos" permission. Now i've submitted the App, which is now live. I've installed it on several Facebook-Accounts of my friends... (Yes! they have granted the requested permissions)
When i now try to make an request i get the following error message
{
"error": {
"message": "A user access token is required to request this resource.",
"type": "OAuthException",
"code": 102
}
}
Here's my Request-Query:
https://graph.facebook.com/LogInIDOfMyFriendThatHasInstalledTheAPP/?fields=albums.fields(photos,name,description),email&access_token=mySecretAppToken
Ok it works if I replace the App-Token with a User-Token that is generated by an OAuth-Process or via GraphAPIExplorer but in the Documentation (https://developers.facebook.com/docs/facebook-login/access-tokens/) it is said (in Paragraph) "App Tokens" that
"App access tokens are used to make requests to Facebook APIs on behalf of an app rather than a user. [...]" and that i have to generate an other "App Accesstoken" but this also does't work.
I'm confused...
So is there something i've forgotten / missunderstood or do I have to use the oAuth-Way which means that my friends have to reauthenticate to my App every two month???
Thanks a lot!
Best regards
Mike
A few lines after in the documentation it states
App access tokens can also be used to publish content to Facebook on behalf of a person who has granted a publishing permission to your application.
This is what they mean by requests on behalf of the user.
For the albums endpoint you need a user access token.
Yes your friends need to re-authenticate your app every two months if you extend a short lived user access token. The point is not to have apps sitting around with access when the user may have forgotten them. Prompting the user to re-authenticate ensures they are still aware of these apps and can have the choice to keep or delete them
I have an app and a user who has added that app and authorized it with permissions: read_stream and user_status. I've got a node js app running that's trying to make an API call (using only the app credentials) to pull the user's posts but I get the following error:
"A user access token is required to request this resource."
How can this be done without having to have the user login every time I want to pull their feed?
It can't; you need a user access token to access that user's data - the error message is fairly clear about this I think.
Check the Authentication documentation - you should be storing the users' access tokens and using those to make API calls on behalf of those users