As mentioned in this other question, if a user grants the publish_stream permission, I can publish to that user's wall using an app access_token. I tested that and it works. But I couldn't publish to the user's pages using the app access_token! Am I missing something?
Right now I use the /me/accounts/ connection to get the access_token of the pages, and use that to publish. But this is a huge headache for me and for users because these tokens expire often (when users change their password, ...et), and every time that happens the publish fails and I need to email the user to come login again so I can retrieve a new access_token for the page. It's a bad user experience and I'm trying to find a way around it. The app token works for publishing to users, which is great, but I couldn't find a way to make it work for pages. Any tips?
Edit:
To clarify further, I currently request the manage_pages and offline_access permissions, and then fetch the access_token of each page and use that to publish to it. That works. The main problem is that tokens expire, even with the offline_access permission. The most common reason a token would expire is if the user changes her password. Here is a common error that I get a lot when publishing to Facebook pages.
Facebook error. type: OAuthException, message: 'Error validating
access token: Session does not match current stored session. This may
be because the user changed the password since the time the session
was created or Facebook has changed the session for security reasons.'
To handle this, I email the user and ask them to visit our app again, and when they do I grab a fresh set of access_token to work with. But that's problematic because users are confused about why the error happened and blame us for it, and some users don't open their emails so the problem doesn't get solved and then they're angry later when they discover that our app had stopped weeks ago without them asking it to stop.
That's why I was hoping that I can publish with the app access_token to avoid these problems. Since it works for user profiles, I hoped it would work for pages as well. But so far no luck, unless I'm missing something obvious.
What you're describing used to work - all last year we were able to successfully post to fan page walls using the app access token. In fact, for some of our users, I see it still working. However, I think the other two answers are correct, this is no longer the way to post to pages (see "Page Login" here)
That said, you should be able to store the access token of the page to spare yourself the step of re-querying the users' linked accounts.
Unfortunately, the page's access token will suffer the same fragility as a user's, per the answer here: Facebook Page Access Tokens - Do these expire? . The page access token will expire when the user who gave you that access token changes their password.
To publish to pages, there is an extra step where you use their token to get a list of their pages. Each page has its own token, use that token to post to the page. Keep in mind that when setting up the original token, you need to specify that you need access to pages.
my app does exactly what you're after.
I request both manage_pages and offline_access permissions from a user.
I store the user's access_token.
I ask the user which page (determined by me/accounts) they want a stream item posted to and when.
Later, when it is time to publish to a page's feed, I grab the user's access_token from the database, the pageid, and the message.
Using that user's access token, I query the me/accounts and grab the latest access token for that account (aka page)
Using that page's access token, I me/feed (or is it me/posts...away from my codebase at the moment) post the stream item.
Related
Am I allowed to create an app that only invited people can join?
Or do all apps have to be open to everyone?
You can have a white list for people who are allowed to use your app in your database and ignore any request for other people.
EDIT:
As per the question in the comment section, I will give you more details. I have not quite done exactly this, but I can guarantee you this is possible. I have a website, linked to Facebook and people can log in to the site using Facebook. In my database I am storing the Facebook ID and the Facebook user access token. When a user clicks on the login with Facebook, his Facebook user access token is checked against the database. If the Facebook user access token (which works like a temporary password) expires, it is renewed. However, people are identified by their Facebook ID. I could easily have a white list for Facebook IDs and allow access only for people whose Facebook ID can be found in the database. My project strategy is to get as many users as possible, but I could easily modify this to restrict access for not verified people. Your problem with consistent login probably lies in the fact that the Facebook user access token expires in a few hours. However, that problem is solvable:
if the user has modified his Facebook password, or has not connected to the app, then he will be asked by Facebook for permissions
if the user is no longer logged in, then he will have to log in
if the user's Facebook user access token has expired, then you should generate a new Facebook user access token
finally, you can generate long-term Facebook user access tokens, which last for months.
Read the documentation for details, but keep in mind that things might have been changed at Facebook since the documentation was written, therefore you should not believe everything written there, but should rather test the validity of the most important statements.
I have written a Python script that makes some statistics for me and a couple of friends based on our posts and comments in them. I've been using it by getting a temporary token in Graph Explorer and copying it to the script before running it. So far I've been able to access friends' posts with API 1.0 (and for some time with 2.0, I assume that was a bug) but now the 1.0 API is getting closed and I'm running into an issue - while some of the /post requests are still accessible to me, many return an "Unsupported get request" error. I can only assume that I can't access these anymore unless I'm using their User Access Token.
I'm not sure what I can do now:
ask them to use Graph Explorer to provide me a temporary token. It works, is pretty secure with default permissions but I would have to do it every time I wanted to update the data.
make some sort of dummy app that they will log into once. I don't know if that violates any rules and if it will be removed immidetaly, I hope not. But I have no idea how to extract the user access token out of the app so I can use it in the script.
What's the "correct" way of doing this?
If the App is only for a specific group of people, it should be no problem. Just add your friends as Tester in the App so they can authorize it with the read_stream permission. Else you would need to go through a review process, and Facebook usually does not approve read_stream.
You don´t really need to handle the Access Token, just use the JavaScript SDK and read the stream of your friends whenever they visit your App.
Btw, you can get the Access Token in the callback response of FB.login. But it will only be valid for 2 hours, you can extend it to 60 days though. More information about extending Access Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens
Easy solution: Create an entry page where your friends (who are Testers in the App) can authorize with read_stream. Right after authorization or refreshing the Token with FB.getLoginStatus, read their posts and store them.
Here´s some code to get you started on that entry page: http://www.devils-heaven.com/facebook-javascript-sdk-login/
...of course you can also just let your friends generated the Access Token manually. Information about that can be found in the Facebook docs (see Link above) or (for example) here: http://www.devils-heaven.com/facebook-access-tokens/ - they can then give you the Token, it will be valid for 60 days if it´s an extended one, or only 2 hours if it´s a default User Token.
In my web app, I need to post on users facebook feed while they are offline. I already store long lived access tokens for the users. But these tokens also expire after 60 days.
The FB docs mention that it is necessary to redirect users to the login flow to get a renewed access token.
I was thinking of checking the facebook session validity of user, whenever they login to my app and to give them the option of re-authenticating facebook in case their access token has expired.
However this will involve user interaction if the user is not currently logged in to his facebook account.
Are there any alternative solutions to look at. Also, how do sites like Quora manage posting to user's wall, without needing to re-authenticate facebook after every 60 days.
PS - I am using the latest facebook php sdk.
Simple Answer: It is not possible to extend the Access Token on the server. It would make the whole concept void.
Earlier there was a permission called "offline access", but they changed it to an extended token with maximum 60 days to avoid those things. You should NEVER post anything on the wall of the user without his authorization, for every single post. You are not allowed to autofill/prefill the message parameter anyway (see Facebook terms), it always must be 100% user generated.
About Quora: i don´t know what exactly they are doing, but i assume they refresh the Access Token whenever the user goes to their website.
I have set up a facebook app so people can post stuff from my site directly to facebook using the graph api.
I request offline access and manage_pages so that they don't have to be logged in to facebook, but just to my site.
I also have set up the ability to post to a fan page they are managing directly from the site.
both those things definitely work because i have a fan page and i authorized it on my site and am able to post stuff to it directly from my site.
the problem is that when i send the access token to facebook /accounts?access_token=XXX, nothing is being returned for some users even if they are definitely managing (they sent me a screenshot showing they were the manager of the page)
looking at the access tokens i noticed that mine looks like (this is fake):
200785063253279|561ec27497172e3ddvs32dsc.1-10002342352350235|kB2_OoBtsgscsVW2mKMijfNdvb0
while the users in question have an access token like (again - fake):
AAAC2nOrFTH0BAJjMgS3h22ADhirwsfweRT35235LGcZCGisrefwae5tSF535DGlLKJOIBMnrMnI324sfasdSFOIjo325sIigfWOE1aNbvd8wAZD
I can't help but notice the vast difference between the two. is there a reason? is that why i am not getting any page info when i send the request to facebook?
Any help is appreciated!
The first Access Token is the old access Token format and the second Access token is the new Access token format.
This new format was announced a year ago:
https://developers.facebook.com/blog/post/497/
And rolled out last September:
https://developers.facebook.com/blog/post/2011/09/09/platform-updates--operation-developer-love/
Any new Access tokens you get from the system will be of the new format.
EDIT from #avs099: I'm starting the bounty on this post as I have exactly the same issue. I summarize the problem here, and leave the post itself without any changes at the bottom for the reference.
What we have: Facebook page access token, obtained as described here: Authenticating as a Page and which live was extended to 60 days with new fb_exchange_token request.
What is the problem: this token works for some time - sometimes I can post hundreds of photos to my fan page in the period of several days; sometimes it's literally few photos - and then I start getting either
(OAuthException) Error invalidating access token: The session has been
invalidated because the user has changed the password.
or
(OAuthException) Error invalidating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
exceptions from the Facebook - but of course I did not do change password or deauthorized the app.
Additional information: Not sure if that matters but:
Sometimes I start using token few days after I request it from the Facebook
Token is requested (by the C# backend) from the server
which is located in a different geographical region from the desktop
app which posts photos to the fan page.
It happens sometime that several different desktop apps post photos from different PCs (i.e. different IPs I guess)
Anybody has a clue what's going on and how to resolve this?
Thank you.
I have a facebook app that serves two purposes:
1) Allows users to facebook connect with my site
2) Allows my site to post to my sites facebook fan page wall
What I'm concerned about is the 2nd usage. I used to be able to set the permissions for an app on a fan page to just allow posting (via the php sdk) without any concern about an access token. Now I've created some new fan pages and that functionality seems to have been removed. Alright, so I go through the whole process of getting an access token (successfully) for the user (always me or another admin of my facebook fan pages) and use that token to get the access tokens for the fan pages I manage (I have the manage_pages permission and so do the other admins for the pages I want to post to). However by the engine gets around to posting content to my fan pages the tokens have expired with one of two error messages:
Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
or
OAuthException: Error invalidating access token: The session has been invalidated because the user has changed the password.
But this isn't an access token dependent on outside users, only internal people (me and one other guy right now). We aren't changing our passwords or doing anything. I've even tested it by logging out of facebook after acquiring tokens and it works fine. It's just after a little while they expire for no reason that I can determine. When I get the tokens I can check them on the debugging tool and they are supposed to last 60 days (according to the doc) although the tool says they never expire.
I've set up the system so when it fails to post to the page I get an email with the link to my site to update the tokens.
Anyone have a clue what's going on?
As Mikhail pointed out, if you get an error reporting that the token is invalid cause user has changed the password. Odds are you are requesting a new token somewhere hidden in the code, when you already have a valid one.
Possibly related to this bug? https://developers.facebook.com/bugs/241373692605971?browse=search_4fb4832bcaf7b1549293950
I have the same problem in my app - sometimes tokens expiring.
One of the find reason: sometimes my app ask for new token while old token is valid and FB return an error or i couldn't save new token for some reason.
After that old token expire - only one token for pair user-app may be valid.
You can fetch the unauthorized token so a new token is requested (or whatever you like).
I can provide a nice explanation but you can read it all here:
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
A temporary solution is to ask the user to delete the application from it's profile, and allow it again.
I had same problem and resolved it "reinstalling the app to users facebook applications". it may help you if nothing answers to problem.
To do that:
facebook user who is facing the problem goes to its facebook page
he/she removes your app from his/her application list.
Retry to login via facebook sdk on android.