So I have stored the "access_token" and marked it as "offline_access". All that is fine. Now, what I am trying to do is: I want a PHP page to "refresh"/be executed every minute, and then use that token that I stored (which I want to change at anytime manually, say from a field in the database) and then change the status of the user. Say I have the tokens for 3 of my facebook accounts.
I know how to post and all that, but when I try it without a session, it is telling me I need to create a session to do it. However, this is server-side. I don't know how to do the session without seeing the "login" button of Facebook on the server side.
How to do this? Any thoughts on how to make my PHP page, when executed, create a new Facebook object from the Facebook PHP class, and then plug in the whatever Access Token and UID maybe, and then post to the wall of the user?
Thanks!
Answered here:
Facebook offline access step-by-step
Related
I've spent the better part of a day researching this and thought I could figure this out on my own, but no luck.
Here's the situation, I have FB authentication in a mobile app. This is working fine. A user can log in and I can access the public profile data, etc.
The issue is that I would like to have NEW users or first time logins to create new records in my private database, because I am looking to store more than email, and FB id. For example, favorite items. I can also accomplish this easily enough with a post to (www.mywebsite.com/api/users/).
So, the REAL issue is that I don't want to have a route that simply allows people to add users to my database, willy-nilly.
Is there a way to pass the access token to an API route to ensure that a user can only add a new user-record to the db IF they have a valid FB login?
I've set up the famous "auth/facebook" route that is popular on the web which also works great, until I access it from my app. It then throws X-origin errors (I believe in part due to the callback route).
this post was similar, but still doesn't quite cover it.
Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
Please help!
Thanks,
Wayne
After another two days of digging, I found a rather simple solution.
The facebook graph API will allow you to submit the access token to recieve basic user data.
So my solution is now this:
1. Use cordova-facebook4 plugin to authenticate within the app. (You can find details here: https://github.com/jeduan/cordova-plugin-facebook4
2. Send the FB id AND authentication token to my server route, like this: `myapiserver.com:1234/auth/facebook/<token>/<id>`
3. On the server side, send an ajax request to https://graph.facebook.com/me?access_token=<token received from the
cordova plugin>. This will return the name and FB ID as JSON.
4. On the server, compare the ID returned from facebook to the ID sent with the request. If they match, add the new user, if not, do
not add the user and return an error. Of course, the server will
not allow a new account to be added to the system if that FB id is
already in use.
At this point, it seems that the worst harm that could be done is for someone to hack another person's FB account, get their token and ID and THEN use that to create a user on my system for that person. Which seems pointless enough that I'm not going to worry about those attacks.
Please comment if you know of a better solution or I missed a security vulnerability.
Ref: How to get the Facebook user id using the access token
when I do a get request to
https://graph.facebook.com/[userid]
with the access_token i get all the basic info
but when I do
https://graph.facebook.com/me
with the same token i get an error message: An active access token must be used to query information about the current user
I have tried to under stand what can cause that.
I even tried to token that comes with the signed request
I'm on classic asp, with JSON library, I want the auto to be server side if possible. the FB.api("/me" is working but it is not what i really want to achive
I am pretty sure you donĀ“t have a user access token. Did you login the user? Of course you get the public data of every user with your first link, even without any access token. You can even put it directly in the browser and will get results. But for "/me" you have to authorize the user to your app.
See here: https://developers.facebook.com/docs/howtos/login/server-side-login/
It is the same problem as in the other thread for sure, just a different Programming language.
Remember: If the user did not accept at least the basic permissions in a dialog or redirect, he is not logged in and you will never know anything about him in the app (except for some specifics in tab apps, like language, like-status and stuff).
I'm fairly new to facebook development and I still get confused about the oAuth thing.
A client of mine asked me to show the latest posts, links and statuses of his facebook page to his website.
On the a php page on his website I'm creating a url
"https://graph.facebook.com/".$clientFacebookPage."/posts?limit=1&access_token= xxx
In order to json decode it and display the info I want, but I don't know how to get an access token. I generated an access token with the graph explorer that is tied to my name as a facebook developer but that expires in 2 hours.
There are many thing that confuse me already and I hope you can point me towards a solution
I've read the documentation but everything revolves around users getting logged on your app and you app posting. So my questions are:
Do I need to create an app to do a curl (requiring special permissions) using the http://graph.facebook/xxxx url?
If so, does the adming of the facebook page need to authorize with the app?
What do I need to do next? I can create a web page using the app id and secret. Does that mean that I can retrieve the info of the facebook page? How?
I know that the page needs an auth token to curl the http://graph.facebook/xxxx page and retrieve the data needed. Where can I generate it? Does the webpage need to generate it, or do I have (as the app developer) acquire the token and write it to my php code?
If I log out of the facebook, will the program/webpage stop functioning?
I hope I didn't confuse you.
Thank you.
The basic process for obtaining an access token for a Page is as follows:
1. Get a user access token for a User who is an admin of the Page
2. Using this User token, request graph.facebook.com/me/accounts and look for the correct Page ID in the list returned.
3. Grab the associated Page token from that ID
4. Use it to do Page stuff.
There is a newly launched Facebook docs guide which shows you how to obtain one of these access tokens in a step-by-step fashion:
https://developers.facebook.com/docs/howtos/login/login-as-page/
Hopefully that guide should help you.
I will also answer your questions in order:
Yes, you will need an app in order to generate access tokens to make API queries
Yes
This is in the guide linked above (start at the Getting Started if you need to create a way to get a User Access Token also)
Again, see the guide above
Yes, but you should follow the steps in this guide to generate a long-lived access token. Once you do that, any Page token you retrieve will last forever.
We're using the Facebook JS SDK to authenticate users to our application, then sending that information to the server back end to log our user into the application (we support multiple forms of authentication but we can only support FB using a client side flow).
FB is able to log in correctly, I'm able to authenticate the user and everything else, but there's one wrinkle that I'm not sure how to handle, and I'm having difficulty finding anything in the documentation about it. Facebook sends back an accessToken in addition to an id. My question is, how do I verify on the server side that the accessToken is correct for the given id? I want to make sure that the data the user sends us matches what Facebook sent them, and I can't imagine this is that out of the ordinary, yet I can't seem to find any documentation on it.
In the response from Facebook should be a signed_request string that can authenticate that the data is genuine with and decoded to yield the user id and an oauth token for the user.
Passing this along with the other response to your server-side code should allow you to validate everything pretty easily.
May I suggest this answer from another question! It uses try-catch. It is probably the only way to verify that the authentication and the permissions are valid! That's how they do in their examples
Facebook OAuthException: (#1)
I dont think facebook provides any other way of checking
Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target="_top" because if I don't, facebook send my server a common GET without the signed request. So I cann't check the user info.
Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.
My tests: If I remove the target=_top and I point all my links' href to my server without the app.facebook.com/whatever, it loads very quickly.
My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..
Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)
Have you read the Server-Side Authentication tutorial?
You're doing it wrong.
Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.
What you should do:
When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache).
If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you'll be posted with the authenticated signed request, save it, etc..
Since you persist the data, in every request that is not POST or don't include the signed_request check your persistency choice for the data, and use it.
There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication.
Other requests should be from your app (inside the iframe) into the app servers.
JDL,
I believe you are querying the graph API at each request (and that's why you always need the signed_request). Is this right?
The graph API is pretty slow (~ 1 second/query) and you should use only when necessary. For example, when you first receive the access_token you should save it in your session and query the graph API to retrieve the respective facebook user info. But then you should put the info you need about this user in your session and only refresh it (using the graph API) when the signed_request access token is different from the one you have saved in your session.
The behavior of adding _top to the target of your links is ok and a good practice within facebook canvas.