Since the latest change on Facebook, regarding the appsecret_proof: https://developers.facebook.com/docs/reference/api/securing-graph-api/, we are still unable to download performance reports even after enabling/disabling features from Advanced Settings in our app, or apply the code as described in their document.
We are constantly getting this error:
{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}
and I've open a confidential bug but no one returns to me with an answer.
I really don't know what more could we try?
The error is (based on my experience) almost certainly correct; it means you're proving an invalid appsecret_proof with your API call
Assuming you're using the standard PHP SDK without modifications, the most likely reasons for this are:
You configured the wrong app ID in the SDK code
You configured the wrong app secret in the SDK code
You're trying to use an access token from the wrong / another app
Another potential cause of the "Invalid appsecret_proof ..." error, is a user access token that is not associated with an app. If you are generating a user access token using the graph explorer, make sure to select an app from the dropdown on the top right corner. Otherwise, you will be generating tokens that only work within the graph API explorer.
I filed a bug with the Python SDK before I caught my mistake. GUIs are the devil.
No bug in the latest version of the facebook PHP SDK.
You need to create appsecret_proof as per the docs:
$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);
then pass it as a parameter to your api call.
See the docs here: https://developers.facebook.com/docs/graph-api/securing-requests/
Once I did this all was good and I didn't have to hack base_facebook.php
There is a bug in the Facebook SDK. After 20 hours of trying everything to debug my own code (which had no issues!), I commented this out in base_facebook.php:
/* Commented out by SJ
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
*/
And all the problems went away!
This is error is because of in correct token. It may be because you are using different account for configuring web app and mobile app for Facebook configuration. Both accounts should be same.
The app ID must be the same for your mobile app and your web app.
This error is the result of setting incorrect access token. For e.g posting to page album using a user's(admin's) access token. I have solved this error almost all the times by setting the proper access token
If this error is unexpected behavior, you may have checked a setting in your app to require it. Uncheck it and you should stop getting that error. That setting is in settings -> advanced and is called "App Secret Proof for Server API calls". Set that to NO.
As of now, that setting is on this page (make sure to put your appId in the URL): https://developers.facebook.com/apps/YOUR-APP-ID/settings/advanced/
Note this is not a universal solution, only a solution for people who don't want that behavior.
For me it was three fixes that made it work
Activate the Secret app and Access to API in the advanced configuration of your app in Facebook for developers. Although in theory it is not needed for me it always prompted that the appsecret_proof was needed even when those two options were off.
When creating the appsecret_proof, the access_token used to create it should be the same access_token to send in the request, and its the user access_token, my error was that I was using the app access_token. Use the user access_token.
Send the parameter appsecret_proof as appsecret_proof, not as app_secret_proof. A minor detail but happened to me.
Extra:
For python you can create the appsecret_proof like this:
import hmac
import hashlib
facebook_app_secret = '<your_app_secret>'
facebook_access_token = '<your_user_access_token>'
appsecret_proof = hmac.new(facebook_app_secret.encode('utf-8'),
msg=facebook_access_token.encode('utf-8'),
digestmod=hashlib.sha256).hexdigest()
print(appsecret_proof)
Gotten from facebook graph api calls with appsecret_proof in python
make sure your setting correct fbappid + fbappsecret
this error happens when those are not set correct
like you have 2 apps one development and one production
and you mess up the codes, double check those two
Just for people having the same problem;
When you set Client OAuth Login to "yes" on facebook, you should give proper Valid OAuth redirect URIs . Otherwise facebook throws exactly the same error.
In my case I needed to set Default Access Token via method: setDefaultAccessToken()
I used token generated in GraphApi dev tool but I did not switch into proper application. It was solved by changing application into proper one and using regenerated token.
I know that this is an old question but I solved mine by changing the Application to the proper application that I should be generating an access token with. E.g. from Project1 to Project2.
Perhaps something wrong with your access token, you need Business Manager style.
You can get the token from the content of https://business.facebook.com/settings/system-users/{sys_user_id}?business_id={business_id} with regex r'"accessToken":"([\d|\w]+)","context"'
Works for me:
$appsecret_proof = hash_hmac('sha256', $facebook_page_token, $app_secret);
WHERE facebook_page_token is the page token stored in my database created when I associate the page to the app.
Problem comes from wrong platform access token.
You should check your dashboard which you preferred to API and check your access token where it comes from.
Ok so I am wanting to add the ability for users to use their facebook accounts to register to a site. I have gone through the dev files and various tutorials online. The issue is that no matter what method I follow I have yet been able to get it to work.
I have tried using source from here as well:
http://www.masteringapi.com/tutorials/how-to-use-facebook-registration-plugin-as-your-registration-system/15/
Is there some dependency that I need for the site, some other system for facebook to load right?
Here is the test version of the site: http://ohmsgaming.com/Misc/nstdt/v2/
Your page show an error like "'redirect_uri' should be an absolute url."
Use absolute Uri in redirect Url field of request query to fix the issue.
You can use Open Authentication technique to set up authentication system in your site. And once the user is authenticated you will get the publicly shared information of the user. This information can be registered in website at first login.
I successfully implemented the same in http://www.nowrunning.com using brickred's social auth code.
http://code.google.com/p/socialauth/wiki/GettingStarted
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
In version 1 of my website, i implemented Facebook Connect with the JavaScript API. This included authentication, permissions, and publishing.
In version 2 of my website (what i'm implementing now), i have implemented Facebook Connect with the Graph API (OAuth).
I haven't touched the Facebook settings in my application. But when i attempted to authenticate using OAuth, it asked for the same permissions again (email, basic information) - even though i had already granted those before (using version 1)
The only difference i can see if that previously i asked for permissions via FB.showPermissionsDialog, now i use the scope parameter in the login page URL (OAuth).
What this means is when i go live, all my users will have to re-authorize my app, when they in fact shouldn't.
Any ideas? Is it because i'm now using AppId/Secret (OAuth) instead of ApiKey/Secret (JS API)?
FYI i'm using the Facebook Connect C# Toolkit.
I don't think that makes sense. Are you using the same application id? The permissions are between the application and the user, as far as I know.
Problem goes on unsolved, but site is live so not much i can do about it now.
Not a huge deal anyway.
I think you need to validate your oauth using javascript-sdk:
Check this response hope this gives you some idea.