When working with my app, or with the Graph API Explorer, I have learned that I can access some information about anybody. Take for example,
https://graph.facebook.com/btaylor.
This includes the topics 'feed' and 'posts', which need 'read_stream' permission. I can get the information, even though he has not extended such permission to my app that I know of. My question is, do 'read_stream' topics have an undocumented peculiar status that does not require permissions?
I'll answer your two questions separately.
First, read_stream permissions is not inconsistent. You will need an access token to read someone's stream, no exceptions. The inconsistency you're observing probably lies in the presence of the access token within the URL. For instance
https://graph.facebook.com/btaylor should not provide you with anything more than basic details because the URL does not contain an access token.
https://graph.facebook.com/btaylor?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you additional details because it does contain the access token. However, realize that the access token will expire at some point, so the above link might not work. This link with the proper access token can be found here: http://developers.facebook.com/docs/reference/api/#auth
When looking at btaylor's posts, https://graph.facebook.com/btaylor/posts will tell you you need an access token but https://graph.facebook.com/btaylor/posts?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you all the posts.
It's possible that the Graph API Explorer is caching the access token and sending it with your request without your knowledge, but this doesn't seem to be the case for me. Are you sure the access token is not present within the "Access Token" field?
Second, the reason that you can see data publicly on someone's Facebook profile is because of their Facebook privacy settings. Facebook privacy settings do not correlate at all to the permissions requested and given via the Graph API. You could have everything public on your Facebook profile but none of it (besides the basic information) will be available via the API. A user has to explicitly allow your application access to their information when using the API. As to "why" this is the case, it's probably due to privacy and spam. If everyone in the world had API access to all information a person provided publicly, there would probably be a whole lot more spam only allowing that information to be viewed on facebook.com.
Related
Which access token type should I use to make a light and secure Open Graph call, say to get the number of likes on certain URL?
The first solution that came to me was to generate a user access token with just a "public profile" permission via Open Graph Explorer and use that one. But it didn't work, and it will expire, so I would have to re-generate the token every time.
The other one solution is to use an application access token which doesn't expire:
app_id|app_secret
It seems redundant to me, quote the docs:
This can be used to modify the parameters of your app, create and
manage test users, or read your application's insights.
Why do I need to get so many privleges, if I just want to read some public data? And I don't want to expose my application to some possible malware intrusion in the case of a app_id and/or app_secret leak
The question is not only about how I can get the likes of certain URL, I guess it's more about how to use and manage access tokens wisely.
All Facebook Graph API endpoints are documented. From this documentation, you will be able to learn which action on which endpoint requires which type of access token, and which permission scopes.
To get "the number of likes on certain URL" you cannot use graph API. Neither the /?id=URL endpoint, nor the /OG-Object-ID endpoint that you can derive from the former give you back a like count.
For websites that you manage, Facebook Domain Insights might give you what you are looking for.
I have written a Python script that makes some statistics for me and a couple of friends based on our posts and comments in them. I've been using it by getting a temporary token in Graph Explorer and copying it to the script before running it. So far I've been able to access friends' posts with API 1.0 (and for some time with 2.0, I assume that was a bug) but now the 1.0 API is getting closed and I'm running into an issue - while some of the /post requests are still accessible to me, many return an "Unsupported get request" error. I can only assume that I can't access these anymore unless I'm using their User Access Token.
I'm not sure what I can do now:
ask them to use Graph Explorer to provide me a temporary token. It works, is pretty secure with default permissions but I would have to do it every time I wanted to update the data.
make some sort of dummy app that they will log into once. I don't know if that violates any rules and if it will be removed immidetaly, I hope not. But I have no idea how to extract the user access token out of the app so I can use it in the script.
What's the "correct" way of doing this?
If the App is only for a specific group of people, it should be no problem. Just add your friends as Tester in the App so they can authorize it with the read_stream permission. Else you would need to go through a review process, and Facebook usually does not approve read_stream.
You don´t really need to handle the Access Token, just use the JavaScript SDK and read the stream of your friends whenever they visit your App.
Btw, you can get the Access Token in the callback response of FB.login. But it will only be valid for 2 hours, you can extend it to 60 days though. More information about extending Access Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens
Easy solution: Create an entry page where your friends (who are Testers in the App) can authorize with read_stream. Right after authorization or refreshing the Token with FB.getLoginStatus, read their posts and store them.
Here´s some code to get you started on that entry page: http://www.devils-heaven.com/facebook-javascript-sdk-login/
...of course you can also just let your friends generated the Access Token manually. Information about that can be found in the Facebook docs (see Link above) or (for example) here: http://www.devils-heaven.com/facebook-access-tokens/ - they can then give you the Token, it will be valid for 60 days if it´s an extended one, or only 2 hours if it´s a default User Token.
I have a CMS application which needs a little component that allows an editor to select a facebook page post to display.
I've been going around facebook API and I don't fully understand what is the proper way of doing it.
This would be a server call, I would prefer not to have an access token because I am not making the request on behalf of any user.
I've tried using access_token=app_id|app_secret, but apparently that request requires an user session. So I went to the graph explorer and copied my access token. That worked fine initially but then I learned that they expire. I could get a long live token, but apparently those also expire eventually.
So, what is the best way of doing this? I think that using someones facebook access token for this is risky. The token could be revoked at any point breaking the feature in production. Can I achieve this without an user access_token? if I cant, how is this token normally managed?
Update:
Well actually the app_id|app_secret works, just not in every case. I created several pages for testing purposes and it doesnt work in any of them. Then I tried accessing a post from some brand pages (unrelated to my project) and they work ok. So my problem is configuring the page.
When I tried to access the post using app_id|app_secret I get:
(#100) Requires user session
Posts are public in all cases
I already tried to assign a vanity url to the page, no change
I think it's not possible to use just an App Access Token to get the Page Posts. Unfortunately the docs are not very clear on this IMHO:
https://developers.facebook.com/docs/graph-api/reference/v2.2/page/feed/#readperms
An access token is required to view publicly shared posts.
A user access token is required to retrieve posts visible to that person.
A page access token is required to retrieve any other posts.
Interesting problem I'm having right now.
Signing in an App gives a access token looking something like this:
AAACwFsGcSr4BAOGUTwfuZAWuUcwZC0rJ7noZCKMqhBI7ivDCsIGqduGIZCus5PRaS6KuREqxLmhfvZAZAkz5WCpFfANtUpYHgZD
This access token can't access users PUBLIC information, while one issued by Facebook on developers.facebook.com - CAN.
You can easily test this by logging to your facebook and going to this link: http://developers.facebook.com/docs/reference/api/
You'll see that Facebook automatically generates access token on DEMO urls like this one:
https://graph.facebook.com/me/music
?access_token=2227470867|2.AQCvlA_ZaJ2MfRR0.3600.1318266000.0-100001572415177|2FeweU6ZvOQS9OCF5ZBV58_PtPg
If you would change /ME/ to any user which has his MUSIC posted as public, you WILL be able to access that data with Graph API.
Now try to get an access token to your APP and call the same Graph API method with generated access token, the returned data is empty JSON object.
Whats’ the difference between these access tokens? How to obtain access token, that I could get public information using Graph API?
I was thinking that logging in your APP is the highest possible access token and the only higher token is token with specified permissions...
Any guidelines would be great :)
http://developers.facebook.com/docs/reference/api/permissions/
I believe the difference is that you can specify additional permissions in a scope parameter,
so if you wanted to read a user's feed you would have to specify read_stream. I was trying to accomplish this with an access token from a server-side authentication flow in ruby, but the access token only allowed to me to navigate accross a certain portion of graph.facebook.com/user_id/feed? requests. If you get any insights or comes across a solution shoot it my way too, if you can.
Is Facebook graph API enough secure to store and retrieve data? Apparently, it's quite easy to access information of some unknown person with appropriate query. I would like to know is there any security threat of making personal information public? If anyone has any idea please share.
All depends on the permission.Here is the link for facebook app permission.
Permissions
It works.
Thanks
user has to give you permissions first before you're allowed to access his private informations.
To store data -> what do you mean? It's not storage engine
To retreive data -> PHP sdk uses https protocol so yes, it's secured
The only information you can get from the graph is public info, or content which you have a valid access token for.
If you have stored a user's Facebook ID, you can still only access their information when you have a valid access token. That could either be obtained by having the user authenticate with Facebook, or by requesting the offline_access permission from the user. With offline_access, the life of the access token is dramatically extended, meaning that you can make API calls on the users behalf while they are offline, but you can still only perform actions that the user has granted permission for.
Whether you should make your personal information public on social networks and what security ramifications sharing your personal information has is a whole other discussion, and not really suited to this site.
As long as you have the permission from the user to access his profile, you can view all the information which USER WANTS you to see.