Is Facebook graph API enough secure to store and retrieve data? Apparently, it's quite easy to access information of some unknown person with appropriate query. I would like to know is there any security threat of making personal information public? If anyone has any idea please share.
All depends on the permission.Here is the link for facebook app permission.
Permissions
It works.
Thanks
user has to give you permissions first before you're allowed to access his private informations.
To store data -> what do you mean? It's not storage engine
To retreive data -> PHP sdk uses https protocol so yes, it's secured
The only information you can get from the graph is public info, or content which you have a valid access token for.
If you have stored a user's Facebook ID, you can still only access their information when you have a valid access token. That could either be obtained by having the user authenticate with Facebook, or by requesting the offline_access permission from the user. With offline_access, the life of the access token is dramatically extended, meaning that you can make API calls on the users behalf while they are offline, but you can still only perform actions that the user has granted permission for.
Whether you should make your personal information public on social networks and what security ramifications sharing your personal information has is a whole other discussion, and not really suited to this site.
As long as you have the permission from the user to access his profile, you can view all the information which USER WANTS you to see.
Related
We are building a mobile app on behalf of a corporation and the API needs to be able to return the corporation's Instagram feed. We have found that implementing what should be a simple requirement incredibly difficult.
We need to retrieve the following Instagram post data from the corporation's feed:
image url
caption
url to post
timestamp
With this in mind we identified that we need to use the Instagram Graph API which means there are strict requirements around permissions.
Note: We are open to using any method that returns us the required data.
Using the Instagram Graph API we need to use the following endpoints:
Media (to get a list of the latest IG Media objects for a user)
IG Media to get detail about each media object
This works fine but the problem lies with getting a long-lived User Access Token. To get this kind of token we need the instagram_graph_user_media permission. The Long-Lived Access Tokens documentation says:
Long-lived tokens are valid for 60 days and can be refreshed as long as they are at least 24 hours old but have not expired, and the app user has granted your app the instagram_graph_user_profile permission.
How can the app user (the corporation) grant the app the permission? As I mentioned this is for an app on behalf of a corporation.
Any help here would be really appreciated!
Thanks
Did you go through the App review process in Facebook? Whenever there are user permissions involved, you need to go through the App review process for your app. Even though you don't use user permissions, some user permissions are pre-requisites for some business permissions.
Read the article here for more information: https://developers.facebook.com/docs/app-review
Unsure if this will be of any help, but battling exactly the same thing today came across this and it made for some intresting reading https://solrevdev.com/2020/05/28/instagram-basic-display-api.html
I am trying to build a miner to pull some statistics from public Facebook pages using Graph. This is easy enough going through the developer documentation and generating a short-term user access token. With the short-term user access token I am able to pull everything that I need.
Easy Problem:
I would like to get a long-term access token for obvious reasons, and I was able to do this following several other answers through this site. So I created an app and used the app to create a 60 day user access token. This ended up being pretty straightforward.
Harder Problem:
With this long-term user access token I am not able to pull the same public information that I could pull with my basic user access token. For example, "category" is not available when pulling information about a public page. Also, I cannot see the number of likes for a given public post. I have a feeling that there is something with the App permissions but I'm not sure what I should do.
App Specifications/Information:
I added a logo, privacy policy and I have the basic permission set for e-mail, public_profile and user_friends. I have not added a platform or any additional permissions.
I would really appreciate it if someone could let me know how to either keep my user account logged in while I make the get requests or give my app user token the permissions to mine posts on public accounts.
When working with my app, or with the Graph API Explorer, I have learned that I can access some information about anybody. Take for example,
https://graph.facebook.com/btaylor.
This includes the topics 'feed' and 'posts', which need 'read_stream' permission. I can get the information, even though he has not extended such permission to my app that I know of. My question is, do 'read_stream' topics have an undocumented peculiar status that does not require permissions?
I'll answer your two questions separately.
First, read_stream permissions is not inconsistent. You will need an access token to read someone's stream, no exceptions. The inconsistency you're observing probably lies in the presence of the access token within the URL. For instance
https://graph.facebook.com/btaylor should not provide you with anything more than basic details because the URL does not contain an access token.
https://graph.facebook.com/btaylor?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you additional details because it does contain the access token. However, realize that the access token will expire at some point, so the above link might not work. This link with the proper access token can be found here: http://developers.facebook.com/docs/reference/api/#auth
When looking at btaylor's posts, https://graph.facebook.com/btaylor/posts will tell you you need an access token but https://graph.facebook.com/btaylor/posts?access_token=AAAAAAITEghMBAMFnukHXAQgLGCfnptZAkF41gIDFt7ycPYkRpGic5MoHkpB6CZCaT21PPyQDOjYo7Tn4mGFH7CyNW06kgrZAWbeTVt9YwZDZD will show you all the posts.
It's possible that the Graph API Explorer is caching the access token and sending it with your request without your knowledge, but this doesn't seem to be the case for me. Are you sure the access token is not present within the "Access Token" field?
Second, the reason that you can see data publicly on someone's Facebook profile is because of their Facebook privacy settings. Facebook privacy settings do not correlate at all to the permissions requested and given via the Graph API. You could have everything public on your Facebook profile but none of it (besides the basic information) will be available via the API. A user has to explicitly allow your application access to their information when using the API. As to "why" this is the case, it's probably due to privacy and spam. If everyone in the world had API access to all information a person provided publicly, there would probably be a whole lot more spam only allowing that information to be viewed on facebook.com.
I am creating a web application that is trying to use "public" Facebook content.
It is not your traditional "Facebook Application" because I'm not actually signing up Facebook users to use it, but the users will be all server-side.
I've come to a point in which I am having to use an "access_token" for certain "public" pieces of content and I have been able to generate a app access_token but this does not work for the public data I'm interested in accessing.
access_token's created via
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials
do not work for
https://graph.facebook.com/chickfila/notes?access_token=CODE_FROM_ABOVE
which is publicly accessable w/o login here...
http://www.facebook.com/ChickfilA?sk=notes
Any way to give an app itself a user-level access_token?
I had a very similar problem with publicly available event data. What I had to do was to create an offline access token for the admin of the application.
So, log in with your admin and open the following URL (replace APP ID with your ID and eventually you need more permissions, but read_stream and offline_access should do the trick):
https://graph.facebook.com/oauth/authorize?client_id=APPID&scope=offline_access,read_stream&redirect_uri=http://www.facebook.com/connect/login_success.html
This will give you a code, that you will paste in the following URL (with your APP ID and SECRET):
https://graph.facebook.com/oauth/access_token?client_id=APPID&redirect_uri=http://www.facebook.com/connect/login_success.html&client_secret=SECRET&code=CODE
This will give you an access token that should work forever (or until you change your password).
Recently I used the access token freely available from the Facebook Graph Explorer which will let you browse different graph resources and will let you specify what permissions you need. For this you can tell it you want offline_access and that token can be used to pull this information whenever it is needed without worrying about your token expiring.
Create an user just for your app and let the user authorize your app and get the access token and use it for this kind of data fetching. Some manual work but as long as you have some user authorized access token you should be able get the public contents.
On the documentation page for Facebook Graph API there are a lot of example links such as https://graph.facebook.com/me/likes?access_token=SOME_AT
Could anyone explain how the access_token for these links are generated?
All I've read in the documentation were about getting access_token only for applications, but on that page everyone could get an access_token without one.
You can use the graph API to get public information. People set privacy settings on facebook, so to prevent social freaks from stalking you, they(fb) created Autorisation.What I believe is that on the documentation, they are generating the access token using the Developers App. You can generate this Access token by making an application and asking a user to Authorise your application to access his data using OAUTH dialogs. Usually people reading at developer.facebook.com have enabled the Developers app so it easily opens your information.
The Graph API as such allows you to
easily access all public information
about an object. For example,
https://graph.facebook.com/btaylor
(Bret Taylor) returns all the public
information about Bret. For example a
user's first name, last name and
profile picture are publicly
available.
To get additional information about a
user, you must first get their
permission. At a high level, you need
to get an access token for the
Facebook user. After you obtain the
access token for the user, you can
perform authorized requests on behalf
of that user by including the access
token in your Graph API requests:
The access_token in these links are generated using your Facebook identity and an application ID (presumable associated to "developers.facebook.com"). If you go to the same page with another Facebook account, you will see different access tokens.