Please give me some idea that how to access user's information through facebook application even though i have created one app which was registered in facebook which allow the users to add with that application so that we can access the user's information through the registered application.
Please reply me soon as possible
check http://php-drops.blogspot.com/2011/04/facebook-login-fconnect-graph-api-php.html
That's going to depend on how much information you're looking to get about the user. You can use the signed_request object to get the user that's signed in:
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_url_decode($payload), true);
And from the data get the user
$user = $data->user;
Once you have a verified and logged in user, you can use the graph API to get back what you want about the user as long as you've set up your permissions correctly:
$user_profile = $facebook->api('/me','GET'); // with $facebook being your authenticated FB object
The $user_profile will have all of the information about the user that's listed on this link:
FB User Object
Let me know if that's what you were asking about. The above information is based on a PHP program, you can do most of that with the FBJS code as well.
Related
I've already gone through this question, but my question is different. I am unsure of how can javascript login be sure and how can some-else not login into others account.
According to the getting started FB.authResponse is called when the login is successful, but in the client's side of course.
Then we can get the userId & accessToken out of the response, we can also make call to /me to get more information. In order to put that user into session, all this info about successfull javascript login has to be sent to the server and this is where I get confused.
After all it's HTTP, every other request is different and can be replicated.
May be it's just that I'm confused, about how someone can't hack and immitate any other users' facebook id to login into his account.
For e.g. after the authentication is success, I make an ajax call to my server providing
the fb-user-id and then I match it with the database and put the appropriate user in the session, but not since this is fb-user-id is not verified again in the back-end (or is it verified?, I didn't found anything though about it) that this particular user is the one who actually signed up in my application, then a same login request with someone else's fb-user-id can be made to login into his account.
I'm sure, I'm not the first one to have this confusion. Please help to clear this confusion, as I've read the docs many times now, but still unable to figure out why can't someone else login into someone else's account.
EDIT
I found this similar question but the guy here doesn't answer how he verified backend login or may be I was unable to understand.
According to :
How to securely authorize a user via Facebook's Javascript SDK
Send the signed_request field to your server, which is being received in the authResponse using the javascript sdk
Then in the server-side, the following procedure as stated in the documentation has to be followed for verfication :
Once you have captured the signed request, you need to perform three steps:
Split the signed request into two parts delineated by a '.' character (eg. 238fsdfsd.oijdoifjsidf899)
Decode the first part - the encoded signature - from base64url
Decode the second part - the 'payload' - from base64url and then decode the resultant JSON object
Here is an example in PHP:
function parse_signed_request($signed_request) {
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$secret = "appsecret"; // Use your app secret here
// decode the data
$sig = base64_url_decode($encoded_sig);
$data = json_decode(base64_url_decode($payload), true);
// confirm the signature
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
error_log('Bad Signed JSON signature!');
return null;
}
return $data;
}
function base64_url_decode($input) {
return base64_decode(strtr($input, '-_', '+/'));
}
This will produce a JSON object that looks something like this:
{
"oauth_token": "{user-access-token}",
"algorithm": "HMAC-SHA256",
"expires": 1291840400,
"issued_at": 1291836800,
"user_id": "218471"
}
After getting the user_id, that particular user can be put in session, although there needs to be other checks for proper authorization.
As a second check, the issued_at can be checked to see if it's not more than 10 mins old.
Taken from here.
However, there may be scenarios where your app_secret may be
compromised. To take care of this case, you should follow step #3, as
the exchange of code for access_token can happen only once and within
10 mins of it's issue. If the user doesn't have an account with your
site, then you anyway need step #3 to use the access_token for
retrieving other necessary user data, like name, email, etc from FB.
In order to refresh token the following call can be made from your server
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Reference
When making a graph API call you need an access_token that is unique to an user and an app.
When query a call concerning a user-id and just manipulate it, the access-token you are using belongs to the original user and Facebook API just returns the information the manipulated id may get. This may be different if the manipulated user is a friend of the original or not.
Simplified:
Your user logs in at your website and accepts your scope params.
Now Facebook returns a user-id and an user access_token that is valid just to this user and your one app.
Most graph calls now needs a user-id and an access_token. If you do an update request for example on the users friend lists and the access_token does belong to the user, graph api will return an error.
It you store the access_token on your server and send it to your server via HTTP-Request / AJAX and not via https, a man in the middle could catch the access-token and abuse it.
I'm trying to find the ID of the user visiting my page tab (without having to make him authentify before using the page)
I've tried several methods:
$requete_fb = $facebook->api('/me');
$me = $facebook->api('me', array('fields' => 'username'));
$request = $facebook->getSignedRequest();
$uid = $facebook->getUser();
But all of them did not work (getUser returns me 0, the others PhP errors.)
So how can I do that? I'm not trying to break the TOS, I'm trying to fetch basic information (the locale).
Any other way to do it?
It is not possible to get a user_id without the user's permission:
The user_id and oauth_token will only be passed if the
user has authorized your app.
However the locale is available in the user object. Please see Signed Request for more information.
I'm creating a facebook app with facebook php adk 3.0.
I was able to do facebook connect login successfully as per the sample code from github.
the page to which i'm redirecting after facebook login is returning my correct user id using the function
$user = $facebook->getUser();
But if i go to any other page in the app, and if i call $facebook->getUser();, it's returning zero.
Seems like i should save logged in user session some where, anybody know solution for this?
After long search i found solution for this.
From the page to which u'll be redirected after facebook login, store access token in session.
$access_token = $facebook->getAccessToken();
$_SESSION['token'] = $access_token;
Then if you want to call a fb api from any other page, set access token as below before calling the api.
$access_token = $_SESSION['token'];
$facebook->setAccessToken($access_token);
Hope it will help.
I am trying to work out how to post to a Facebook page wall, when using my app as a different Facebook User (who is not the Page Administrator).
I get a range of error messages while testing:
Exception: 200: The user hasn't authorized the application to perform this action
The page administrator has visited the app and accepted the following permissions: publish_stream, manage_pages, offline_access
Here is the code I plan to use:
// Insert Page Administrators ID here
// This user is not the same user that is currently logged in and using the app
// This user is the page administrator who has authorised:
// - manage_pages
// - offline_access
// - publish_stream
$user_id = '123456789';
// Insert Page ID here
$page_id = '123456789';
$accounts = $facebook->api('/'.$user_id.'/accounts');
foreach($accounts['data'] as $account)
{
if($account['id'] == $page_id)
{
$page_access_token = $account['access_token'];
echo "<p>Page Access Token: $page_access_token</p>";
}
}
// publish to the wall on your page
try
{
$result = $facebook->api(array( "uid" => $page_id,
"method" => "stream.publish",
"access_token" => $page_access_token,
"message" => $message, ));
}
catch (FacebookApiException $e)
{
error_log('FB Error: Could not post on Page Wall. Page ID: ' . $page_id);
error_log('FB Error Message: ' . $e);
}
Note: There may be PHP errors in the code above, as I just spliced it on the fly, but its not so much the PHP errors I need correcting, but more my logically understanding of how I am meant to go about this process.
PROBLEM:
I can't access the $user_id/accounts information without an active user access token for the Page Administrator.
The end result that I'm trying to achieve is:
1.) A normal FB user goes to the app and submits a form
2.) The app posts a message on a FB Page wall, which is not owned by the FB user, but has previously been authorized by the Page Administrator with the following permissions manage_pages, publish_stream and offline_access
Q1. Since the Page Administrator has accepted the appropriate permissions, why can't I just generate an active user access token, without the actual Page Administrator user logging into the website?
Q2. Is there a way I can get the equivalent of /$user_id/accounts for the Page Administrator user_id, when logged into Facebook as a different user (which is why I do not use /me/accounts)?
Q3. Please confirm that my understanding of needing the page access token to post to the page wall is correct (or do I need the user access_token for the Page Administrator - see Q1)?
Q4. Anyone have a handy resource on what each type of access_token can actually access?
If you need any more information, please let me know.
I've spent the last few days working on this and I'm stuck.
Thanks!
You can ask the page admin for manage_pages along with offline_access. I do this in my production app to be able to post scheduled postings onto the pages' walls.
Nope. Not possible. That's what asking permissions is all about. And why not everyone gets to administer everyone else's pages. Could you image if you could administer anyone's page without them granting you access?!?
To post to the page as the page, you need a page access token. To post to page's wall as a user, you need a user access token.
Yes, please see: https://developers.facebook.com/docs/reference/api/permissions and https://developers.facebook.com/docs/authentication/
If you have further questions about any one of these, please start a new question. It's not really fair to users of stackoverflow to be hit with 4 questions in one and then to be asked followup questions to each of those.
I have done in Django:
Step to get Page_access_token:
facebook_page_id=360729583957969
graph = GraphAPI(request.facebook.user.oauth_token.token)
page_access_token=graph.get(facebook_page_id+'?fields=access_token')
This way you can get Page access token.
You can check this thing on Fb GraphAPIexplorer:
http://developers.facebook.com/tools/explorer
GET URL: fb_page_id?fields=access_token
for example: 360729583957969?fields=access_token
that will give you page_access_token
I've got some trouble with Facebook authentication. Even when I'm logged, the function getUser() returns 0
Here's my code :
$fb_params = array(
'appId' => APP_ID,
'secret' => SECRET_ID
);
$fb = new Facebook($fb_params);
echo $fb->getUser(); // UID
Someone's got an idea?
PS : 'I can no long access to $fb->api('/me'), it says it requires an access_token, I think it's linked to the authentication issue...'
Thanks
You are currently not authenticating as a user, only as an application. As a result, the Facebook API can't show you the /me page or respond to a getUser() call since it doesn't know what user you are trying to access the API on behalf of (ie. "Who is /me?"). You will also only be able to access publically-accessible information.
You need to get a user to authenticate your application through Oauth2, store the access_token you are returned, and then include it in any future calls (eg. WIRQjCey1.3600.1309525200.0-509450630|eD6SAR">https://graph.facebook.com/me?access_token=2227470867|2.AQB-_WIRQjCey1.3600.1309525200.0-509450630|eD6SAR...).
To do this using the PHP SDK you can do
$loginUrl = $fb->getLoginUrl();
echo "<a href='$loginUrl'>Login with Facebook</a>";
Clicking that link and having the user authenticate will store the access_token to the $_SESSION, and when you hit refresh the "new Facebook( $fb_params );" constructor will pick out the access token from the $_SESSION and use it for all future calls, so then calls like $fb->getUser(); will return correctly.
There's a functioning example in the examples folder of the SDK, here:
https://github.com/facebook/php-sdk.
You can use it to try calls while authenticated as an application (public data access only), and then as a user.