I want to fetch feed/post/statuses data for a particular user.
But found that it is necessary to have an access token.
My concern is , do we need to have a separate access token for every user to fetch their information or merely with a single access token it is possible?
The access token is used to verify that the user making the call is verified and has the correct permissions to perform that action. Every user has his/her own access token for each application. As the comments say above, access tokens expire after a while, so you have to re-request them when the user logs back into your application.
There is also "long-term" access tokens that can be retrieved by requesting the offline_access permission. In this case the access token is valid for (i think) 30 days or until the user changes his/her facebook password.
All the information you need about access tokens can be found at https://developers.facebook.com/docs/authentication/
An Facebook Graph API access token allows you to do what a Facebook application running as a particular user, with a particular set of permissions (https://developers.facebook.com/docs/reference/api/permissions/), is permitted to do. Some data on other Facebook objects (such as users) may be available with the access token of another user, especially if they are a "friend" of the user in the access token.
For example, suppose the access token specifies User A and permission "friends_birthday". You should be able to query the birthday of user B if (1) user B is a friend of user A, and (2) user B permits his/her friends to see his/her birthday.
I don't know your full scenario, but if you are really just fetching data, you may find it easier to use https://facebookpsmodule.codeplex.com rather than writing your own Facebook application.
Related
Each user who allow permission to my app will have an access token
or
One access token can handle actions, for example, upload photos to an user album?
I know that an access token can expire up to 60 days,
so do I need save this access token for each user on my database and when request comes from that user, load the access token for him?
Each user who allow the app will have an access token, which will include all the permissions user has granted to your app.Read more about user access tokens here
Each user who allow permission to fb app, will have different Access Token which will be unique.
The Access Token is generated on the basis of browser session from client, AppID and App Secret. In a web server based application, it is not absolute requirement to save application token for user. But application like HootSuite saves user credentials and access token for later use to get facebook feeds and other services.
So it depends on application requirement.
Thanks
Each user sends you another access token in context to use User session of course.
An access token is a random string that provides temporary, secure
access to Facebook APIs.
A token identifies a User, App or Page session and provides
information about granted permissions.
And in User Access context:
You can use this token to perform API calls on behalf of a user,
including reading, publishing and deleting, depending on the
permissions your app has. For example, you can retrieve a user's
friend list or publish a new photo to their timeline with a user
access token.
http://developers.facebook.com/docs/concepts/login/access-tokens-and-types/
Yes, you have to remember this access token if you dont want to reconstruct it. But in many API's this is done "automagically", for e.x. in PHP SDK the access token is stored in user cookie. If you implement more complicated user-flow, you have to remember access token OR regenerate it each time (http://developers.facebook.com/docs/concepts/login/login-architecture/). Remember, that access token will expire and you will have to regenerate it (on the faith of already granted permissions).
FYI: If you want to preserver offline access (executing application activities without user session), you will consider offline_access, but it is deprecated:
http://developers.facebook.com/roadmap/offline-access-removal/
Hope it revealed the problem.
I have started on developing a server side application that requires integration with facebook. My needs is an access token that will not expire, but unfortunately facebook has removed the offline_access feature and replaced with a long-live user access token that will last only 60 days.
I realise that there is an Application Access Token that will not expire. When I use it instead of the User Access Token to fetch the feed, I get must less information.
I have read from other sources that as long as relevant permissions are delegated, such as read_stream is given, using the application access token should allow the server-side application to access the users information that accepted the facebook application.
Am I mistaken ? Can anyone help to clarify ? Thanks
Thanks
Excerpt from: https://developers.facebook.com/docs/opengraph/using-app-tokens/
While an App Access Token is largely for the purposes of publishing information back to Facebook on behalf of the user, there is a limited set of information that can be retrieved from Facebook using an App Access Token.
Basic Profile Info of a User (ID, Name, Username, Gender)
A User’s Friends and their IDs
Permissions granted by the User to your App
So there is a limited set of info you can get using an app access token. So you probably don't want to use it to get the user's feed.
I have a poll app running on facebook (each user gets a vote each day). Until now I didn't store on my database the user access token. This is now updated and I'm keeping the access token by this time. Each time a user votes I save his access token.
My problem is how to get the user's access token from previous votes, is this possible considering that they have authorized my app? Is there a method for this? I have the users id.
(the only reason for needing this is to get the "is_verified" property from FB graph API)
Thanks for your help,
Hugo
You cannot get user access_token without authenticate him.
You can however send your users app to user request engaging user to visit your application so you'll be able to store user's access_token.
Beware that access_token may expire and offline_access permission is deprecated (and will be removed soon), you can extend tokens up to 60 days (extending will only works for users who re-authenticated, not already authenticated)...
I have been asked to look into whether or not I can retrieve a Facebook access token from Facebook if the user had granted permission in an earlier session. The problem is that our business logic tier is maintained by a different group and is on a different release schedule from the web development group. If I were to gain an offline access token, I might not be able to store it for up to two months. For any users acquired in the meantime, is there a way that I can retrieve the token from facebook without further intervention from the user?
I would think that this might be a security hole, but one of our senior developers thinks that it is likely that facebook offers such a feature.
Thanks,
Rob
In short No.
But with the offline access request being complete.
You can request a new token without any user clicking.
You just get a new offline access token and use that. The same way as if you didn't request offline access, and the access token had expired, it doesn't explicitly say but it does work:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
http://developers.facebook.com/docs/authentication/
That way you don't have to store them at all.
Unless you actually want to perform actions when the user is not using your Application.
You'll get the access_token every time the user logs back in, offline_access or not !
You can get it in JS with FB.getAccessToken();
There is no way to retrieve (offline) access token, when the user is not actually logged in.
If you want to store the access token for a long period of time, you will be required to ask for the offline_access permission, otherwise the access token will only last a short period of time. Either way, it is best to store it in a cookie or locally as it will certainly improve your app's latency. But make sure to check its validity as often as possible.
I think the access_token means, you have the permission to do things on behalf of the user. If you must do something without user FB login, you need the offline access_token. But be careful, the offline access_token will be ignored, when the user change his/her FB password, or delete the application.
So I hope there isn't any way to get another access_token without the user permission. I think the easiest way to check the access_token to make a /me?access_token= GET request, and check the answer. If the answer is an error, the access_token not working, you have to renew it.
To get access_token from somebody in the middle of the flow is a little pain. But you can also put variables to the redirect link.
Example:
https://graph.facebook.com/oauth/authorize?client_id=API_KEY&scope=email$redirect_uri=YOUR_REGISTERED_APP_URL%3F$param
$param could be a flow info like: flow=12342323
So when your user come back the $_GET['flow'] will be 12342323.
I wonder is it possible to access user's wall info without passing his/her access token?
for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.
Because I found some topics similar to that.
http://forum.developers.facebook.net/viewtopic.php?pid=9172
When I check Rest FB doc,it says like that.
http://restfb.com/javadoc/index.html
public DefaultFacebookClient()
Creates a Facebook Graph API client with no access token.
Without an access token, you can view and search public graph data but can't do much else.
I doubt that it will work or not without access token.
can everyone share me ideas or any possible similar approaches ?
Thanks.
You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)
Without token you can only access public information.
Public data
From RestFB homepage :
// It's also possible to create a client that can only access
// publicly-visible data - no access token required.
FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();
If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.
Private data
When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :
FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.
Get the user token
You cannot get the user token with RestFB. On the RestFB homepage, you can read :
Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens
Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).
What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.
Hope that helps !