Since the latest change on Facebook, regarding the appsecret_proof: https://developers.facebook.com/docs/reference/api/securing-graph-api/, we are still unable to download performance reports even after enabling/disabling features from Advanced Settings in our app, or apply the code as described in their document.
We are constantly getting this error:
{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}
and I've open a confidential bug but no one returns to me with an answer.
I really don't know what more could we try?
The error is (based on my experience) almost certainly correct; it means you're proving an invalid appsecret_proof with your API call
Assuming you're using the standard PHP SDK without modifications, the most likely reasons for this are:
You configured the wrong app ID in the SDK code
You configured the wrong app secret in the SDK code
You're trying to use an access token from the wrong / another app
Another potential cause of the "Invalid appsecret_proof ..." error, is a user access token that is not associated with an app. If you are generating a user access token using the graph explorer, make sure to select an app from the dropdown on the top right corner. Otherwise, you will be generating tokens that only work within the graph API explorer.
I filed a bug with the Python SDK before I caught my mistake. GUIs are the devil.
No bug in the latest version of the facebook PHP SDK.
You need to create appsecret_proof as per the docs:
$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);
then pass it as a parameter to your api call.
See the docs here: https://developers.facebook.com/docs/graph-api/securing-requests/
Once I did this all was good and I didn't have to hack base_facebook.php
There is a bug in the Facebook SDK. After 20 hours of trying everything to debug my own code (which had no issues!), I commented this out in base_facebook.php:
/* Commented out by SJ
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
*/
And all the problems went away!
This is error is because of in correct token. It may be because you are using different account for configuring web app and mobile app for Facebook configuration. Both accounts should be same.
The app ID must be the same for your mobile app and your web app.
This error is the result of setting incorrect access token. For e.g posting to page album using a user's(admin's) access token. I have solved this error almost all the times by setting the proper access token
If this error is unexpected behavior, you may have checked a setting in your app to require it. Uncheck it and you should stop getting that error. That setting is in settings -> advanced and is called "App Secret Proof for Server API calls". Set that to NO.
As of now, that setting is on this page (make sure to put your appId in the URL): https://developers.facebook.com/apps/YOUR-APP-ID/settings/advanced/
Note this is not a universal solution, only a solution for people who don't want that behavior.
For me it was three fixes that made it work
Activate the Secret app and Access to API in the advanced configuration of your app in Facebook for developers. Although in theory it is not needed for me it always prompted that the appsecret_proof was needed even when those two options were off.
When creating the appsecret_proof, the access_token used to create it should be the same access_token to send in the request, and its the user access_token, my error was that I was using the app access_token. Use the user access_token.
Send the parameter appsecret_proof as appsecret_proof, not as app_secret_proof. A minor detail but happened to me.
Extra:
For python you can create the appsecret_proof like this:
import hmac
import hashlib
facebook_app_secret = '<your_app_secret>'
facebook_access_token = '<your_user_access_token>'
appsecret_proof = hmac.new(facebook_app_secret.encode('utf-8'),
msg=facebook_access_token.encode('utf-8'),
digestmod=hashlib.sha256).hexdigest()
print(appsecret_proof)
Gotten from facebook graph api calls with appsecret_proof in python
make sure your setting correct fbappid + fbappsecret
this error happens when those are not set correct
like you have 2 apps one development and one production
and you mess up the codes, double check those two
Just for people having the same problem;
When you set Client OAuth Login to "yes" on facebook, you should give proper Valid OAuth redirect URIs . Otherwise facebook throws exactly the same error.
In my case I needed to set Default Access Token via method: setDefaultAccessToken()
I used token generated in GraphApi dev tool but I did not switch into proper application. It was solved by changing application into proper one and using regenerated token.
I know that this is an old question but I solved mine by changing the Application to the proper application that I should be generating an access token with. E.g. from Project1 to Project2.
Perhaps something wrong with your access token, you need Business Manager style.
You can get the token from the content of https://business.facebook.com/settings/system-users/{sys_user_id}?business_id={business_id} with regex r'"accessToken":"([\d|\w]+)","context"'
Works for me:
$appsecret_proof = hash_hmac('sha256', $facebook_page_token, $app_secret);
WHERE facebook_page_token is the page token stored in my database created when I associate the page to the app.
Problem comes from wrong platform access token.
You should check your dashboard which you preferred to API and check your access token where it comes from.
I want to use http://api.twitter.com/1/blocks/create.json?screen_name=xxxxxxx (Twitter API) to block particular friends or followers from my account with the use of Twitter & Account Framework in iOS 5,
So what should i do to solve this issue, because i just want to use Twitter account , don't want to use OAuth.
It generate an error like : HTTP/1.1 401 API is secure. Needs security Credentials
The Twitter API requires OAuth authentication. However, if you're happy with targeting iOS 5 and up you can use the in-built Twitter framework to perform the OAuth calculations on your behalf, which will save you a lot of time. Take a look at the documentation for TWRequest:
http://developer.apple.com/library/ios/#documentation/Twitter/Reference/TwitterFrameworkReference/_index.html
Actually you need to put parameters of post requests in the body. This is described in the OAuth tool description under Request query:
This tool is available on the right of every rest API documentation page like this if you are logged in
You can use apigee console for twitter to test it but you will get the same error unless you include the screen_name parameter in the body
I am trying to integrate Twitter into my application. My basic requirement is to have custom login screen and as twitter requires only OAuth. As per Twitter documentation I found these
MGTwitterEngine(Downloaded but its missing entire OAuth library, hence could not compile)
bengottlieb(cannot customize login as it is web based)
XAuthTwitterEngine
XAuthTwitterEngine looks promising but XAuth is disabled by default and need permission from Twitter
So my questions are
1) what type of information I have to provide to Twitter in order to get approval for enabling XAuth
2) if XAuth is not recommended then how do I achieve my basic requirement mentioned about.
i hope my question is valid. Thanks so much.
You can also check out my Twitter client. It was specifically written for 'Share on Twitter' functionality. It uses XAuth.
http://github.com/st3fan/iphone-twitter
For future visitor's, here's the link on twitter request form for enabling XAuth, and some more support options:
https://support.twitter.com/forms/platform
I'm using the gdata OAuth controllers to get an OAuth token and then signing my requests as instructed.
[auth authorizeRequest:myNSURLMutableRequest]
It works great for GET requests but POSTs are failing with 401 errors. I knew I wouldn't be able to remain blissfully ignorant of the OAuth magic.
The Google Reader API requires parameters in the POST body. OAuth requires those parameters to be encoded in the signature like they were on the query string. It doesn't appear the gdata library does this. I tried hacking it in the same way it handles the query string but no luck.
This is so difficult to debug as all I get is a 401 from the Google black box and I'm left to guess. I really want to use OAuth so I don't have to collect login credentials from my users but I'm about to scrap it and go with the simpler cookie based authentication that is more mature. It's possible I'm completely wrong about the reason it's failing. This is my best guess.
Any suggestions for getting gdata to work or maybe an alternative iphone friendly OAuth library?
I was on the right path. The GData OAuth classes needed to support signing the POST params but what I didn't know is the keys needed to be sorted differently.
http://groups.google.com/group/gdata-objectivec-client/browse_thread/thread/adc4e2ba154fbc5f?hl=en
I have an application on Facebook with the API key, application secret etc....
I'm trying the use the Facebook API from a java application and it's telling me that it requires an OAuth2.0 access token. I tried googling about but I'm a bit lost. From where could I get this?
Thank a lot :)
Krt_Malta
See:
Facebook Graph API — getting access tokens