My situation is this: in my site I have username and password (of my Facebook account) stored in 2 php variables: $user and $password. Now I want to log in my Facebook account with those access data. Then, how can I send user and password to Facebook API without "passing" through the standard Facebook login form?
Thanks :)
Short answer: you cannot do that.
You can't pass username and password to Facebook for authentication. Username and password can only be entered into the Facebook authentication form, either through a redirect or iframe pop-up.
Requesting and storing Facebook user passwords is a violation of Facebook platform policy.
You can get an access token after going through the authentication dialog, and that access token can be used to take actions on behalf of the user or access their Facebook information without further authentication for as long as the access token is valid. Access tokens expire, but you can extend them up to 60 days. They also get rendered invalid through a number of other user actions such as changing the user password or manually evoking application permissions.
Facebook OAuth 2.0 documentation is here: https://developers.facebook.com/docs/authentication/
Related
I want to know how Pinterest and other sites maintain there session and access facebook APIs even after the user changes his/her facebook password, since as far as i know facebook invalidates the access token issued once the user changes his/her password.
Please help :)
Not sure on the exact implementation Pinterest uses, but if a user changes there password, the oauth token will be invalidated and you MUST have the user re-login. This is a security feature so for example, in the event of a hacked account, the user can change his/her password and all tokens will be invalidated (imagine what would happen if this wasn't the case... Your account gets hacked, they authorise there own scam app to have full access to your account, you reset your password... oh they still have full access to your account as they have a oauth token).
On this page you can see what error is produced in the event of a password change and your app must detect this and handle it
I like to request more (extended) permissions using FB API after user is already authenticated. Is it possible to send a valid access token or any other way to NOT login again using the OAuth Authentication?
Url looks like that: https://www.facebook.com/dialog/oauth?client_id={clientid}&redirect_uri={callback_url}&scope=read_stream,publish_actions&display=popup&response_type=token
No, you have to send the user through the login dialog again.
Although, if the user is already logged into your app, he'll get a different (simpler) dialog only requesting additional permissions. This is handle by Facebook automatically.
I want to create an application that will login me with facebook eachtime with out asking username and password. How I can store the facebook password or access token to login
Read: https://developers.facebook.com/docs/authentication/ to discover how to authenticate, get a token then you can use it in your app to access the Graph API.
Note that tokens can only last up to 60 days.
I wonder is it possible to access user's wall info without passing his/her access token?
for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.
Because I found some topics similar to that.
http://forum.developers.facebook.net/viewtopic.php?pid=9172
When I check Rest FB doc,it says like that.
http://restfb.com/javadoc/index.html
public DefaultFacebookClient()
Creates a Facebook Graph API client with no access token.
Without an access token, you can view and search public graph data but can't do much else.
I doubt that it will work or not without access token.
can everyone share me ideas or any possible similar approaches ?
Thanks.
You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)
Without token you can only access public information.
Public data
From RestFB homepage :
// It's also possible to create a client that can only access
// publicly-visible data - no access token required.
FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();
If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.
Private data
When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :
FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.
Get the user token
You cannot get the user token with RestFB. On the RestFB homepage, you can read :
Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens
Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).
What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.
Hope that helps !
I am creating an application in which I am trying to add facebook account in app. What I wish to do is when user enter his/her username and password my application should call some facebook api or any other thing by which it will confirm that the user credentials are correct for facebook.
Then the API will return some message by which I can add account or give an alert that credentials are not right.
it is not possible to login using the username/password directly to the api.
use facebook connect instead.