Converting Facebook session keys to access tokens - facebook

I have a web app that allows users to connect Facebook account with their account on my site. When the user decides to connect with Facebook, the app requests publish_stream and offline_access permissions, and then stores the Facebook uid and session_key for each user. All this works fine right now.
My problem is migrating to Facebook's new OAuth 2.0 system. I'd like to transform the session keys I have into access tokens. I followed these instructions and everything seemed to work fine; Facebook returned a bunch of access tokens. However, none of them work. When I try to go to a URL such as https://graph.facebook.com/me?access_token=TOKEN-HERE, I get an error that says "Error validating client".
What am I doing wrong?
Also, I'm under the impression that access tokens work just like session keys in that once I have one, I can use it forever (since I request offline_access permissions). Is that correct?
Update:
Below are the exact steps I took to convert a session key into an access token, along with the output I got. Hopefully that will help bring my problem to light.
Step 1: Convert Session Key to Access Token
Code:
$session_key = '87ebbedf29cc2000a28603e8-100000652996522';
$app = sfConfig::get('app_facebook_prod_api'); // I happen to use Symfony. This gets an array with my Facebook app ID and secret.
$post = array(
'type' => 'client_cred',
'client_id' => $app['app_id'],
'client_secret' => $app['secret'],
'sessions' => $session_key
);
$options = array(
CURLOPT_POST => 1,
CURLOPT_HEADER => 0,
CURLOPT_URL => 'https://graph.facebook.com/oauth/exchange_sessions',
CURLOPT_FRESH_CONNECT => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_POSTFIELDS => http_build_query($post)
);
$ch = curl_init();
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
var_export(json_decode($result));
Output:
array (
0 =>
stdClass::__set_state(array(
'access_token' => '251128963105|87ebbedf29cc2000a28603e8-100000652996522|Dy8CcJzEX8lYRrJE9Xk1EoW-BW0.',
)),
)
Step 2: Test Access Token
Code:
$access_token = '251128963105|87ebbedf29cc2000a28603e8-100000652996522|Dy8CcJzEX8lYRrJE9Xk1EoW-BW0.';
$options = array(
CURLOPT_HEADER => 0,
CURLOPT_URL => 'https://graph.facebook.com/me?access_token=' . $access_token,
CURLOPT_FRESH_CONNECT => 1,
CURLOPT_RETURNTRANSFER => 1,
);
$ch = curl_init();
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
var_export(json_decode($result));
Output:
stdClass::__set_state(array(
'error' =>
stdClass::__set_state(array(
'type' => 'OAuthException',
'message' => 'Error validating client.',
)),
))

From reading your post here is my understanding -
You are tranforming session keys into access keys for each user in your system and storing these keys.
You then test the key using your own page. (Graph.facebook.com/me etc...)
If this is the case
A) You cannot use another users key with your own key. Going to graph.facebook.com would only be valid for the user that the key belongs to and if they were logged in. So for example, if you have my access key you could visit http://graph.facebook.com/YOURID....) but for graph.facebook.com/me to work you would have to be logged in as me.
B) These keys expire every 3 hours (Or there abouts) so it may no longer be valid.

The Platform Upgrade Guide has a section about OAuth 2.0 which includes the instructions for exchanging a session_key for an access_token. You should use this if you already have stored session keys.
For new users, you should use one of the new SDKs or the OAuth2 flow directly which will give you an access token to begin with.

Related

How to get email from facebook through Guzzle in laravel?

I am using below code to login via facebook in laravel.
Referring https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps for token based authentication and using https://github.com/sahat/satellizer for social media integration.
$params = [
'code' => $request->input('code'),
'client_id' => $request->input('clientId'),
'redirect_uri' => $request->input('redirectUri'),
'client_secret' => 'XXXXXXXXXXXXXXXXXXX'
/*'client_secret' => Config::get('app.facebook_secret')*/
];
// Step 1. Exchange authorization code for access token.
$accessTokenResponse = $client->request('GET', 'https://graph.facebook.com/v2.5/oauth/access_token', [
'query' => $params
]);
$accessToken = json_decode($accessTokenResponse->getBody(), true);
// Step 2. Retrieve profile information about the current user.
$profileResponse = $client->request('GET', 'https://graph.facebook.com/v2.5/me', [
'query' => $accessToken
]);
$profile = json_decode($profileResponse->getBody(), true);
$profile returning only fb id and user name.
What changes should I do to get email from facebook.
Use below code in your step 2.
$fields = 'id,email,first_name,last_name,link,name';
$profileResponse = $client->request('GET', 'https://graph.facebook.com/v2.5/me', [
'query' => [
'access_token' => $accessToken['access_token'],
'fields' => $fields
]
]);
Replace this:
'https://graph.facebook.com/v2.5/me'
with this:
'https://graph.facebook.com/v2.5/me?fields=name,email'
It´s called "Declarative Fields", see changelog.
Also, you need to authorize with the email permission, of course. And the email has to be confirmed. You can´t be 100% sure to get an email, some users use their phone number to login.
You should also check this out: https://github.com/sahat/satellizer/issues/615

Get user's country at Facebook: getSignedRequest() results without 'user' field

Code:
$facebook = new Facebook(array(
'appId' => some_fb_app_id),
'secret' => some_fb_app_secret),
'cookie' => true,
));
$result = $facebook->getSignedRequest();
echo var_export($result,1);
Result:
array (
'algorithm' => 'HMAC-SHA256',
'code' => 'A.....l',
'issued_at' => 1354720771,
'user_id' => 'some_user_id',
)
I expect $result["user"]["country"] to be set. How can I fix this problem?
ps. by Facebook Graph API - how to get user country?
According to the facebook PHP SDK getSignedRequest() only gives you the signed request, just like the name suggests. User info is usually gotten through the Graph API, using calls like
$facebook->api('/me','GET');
which gives you the profile for the user associated with the access_token you are using.
Note that you will only ever get information that you have the permissions for, so if you haven't added a particular bit of info beyond the basics to your apps scope, you will not get it.

Facebook API post to friends wall

I'm building application to post statuses from authenticated users like that one.
The problem is the application posting from my profile on friends wall who authenticated the application from my profile.
I'm using Facebook API with CodeIgniter.
the code
$userId = $this->facebook->getUser();
$IDs = $this->facebook_data->get_IDs();
if(isset($_POST['link'])){
$args = array(
'from' => array('name'=>'Resala','id'=>'294357147348261'),
'application'=>array('name'=>'XXXX','id'=>'XXXXX'),
'name' =>'XXXX',
'message' => $_POST['status2'],
'link' => $_POST['link']
);
}else{
$args = array(
'from' => array('name'=>'Resala','id'=>'294357147348261'),
'application'=>array('name'=>'Resala','id'=>'XXXXX'),
'name' =>'XXXX',
'message' => $_POST['status1']
);
}
foreach($IDs->result() as $row){
$ID=$row->user_id;
$this->facebook->api("/$ID/feed", "post", $args);
}
The right docs for creating a post are:
http://developers.facebook.com/docs/reference/api/user/#posts
There you can see the params "from" and "application" don't exist and "name (can only be used if link is specified)".
It's not possible to post in the name of an app. You can only post in the name of an page (that may be assosiated with the app).
Therefor you have to use the page access token instead of the user access token.
See: http://developers.facebook.com/docs/reference/api/page/#page_access_tokens

trying to determine if user is a page admin using FB GraphAPI

I have a page tab app. When the user clicks on the "Go to App" and is sent to my page tab edit url i am trying to determine if they are a page admin or not.
I have tried two different methods. I have tried from the only admin/owner of the page
method 1 used from https://developers.facebook.com/blog/post/2011/09/05/platform-updates--labor-day-edition/
$page_info = $facebook->api("/".$pageID."?fields=access_token");
$pageAccessToken = $page_info['access_token']
$is_admin_url = "https://graph.facebook.com/" . $pageID
. "/admins/" . $FBuser . "?access_token="
. $pageAccessToken;
$response = file_get_contents($is_admin_url);
response is {"data":[]}
I have also tried::
path = '/'.$pageID.'/admins/'.$FBuser;
$params = array(
'app_id' => FB_APP_ID,
'access_token' => $pageAccessToken
);
$is_admin = $facebook->api($path, 'POST', $params);
Although PAGE_ID/admins is a valid request, you need an admin's access_token to see the list. I.e. only admins can see who else is an admin.
What you can do is approach this from the other end by yielding a list of pages that the user is an admin of (using the https://graph.facebook.com/USER_ID/accounts/ data and the manage_pages permission) and search through that list for your application.
However, I would understand if some users would be reluctant to give the manage_pages permission, as it also provides an access token to authenticate as that page, which would be something of a security hole on their part. Unfortunately, there does not seem to be another way to access a list of pages for which that user is an admin.
Simplest way will be signed Request.
A signed_request parameter is POSTed to an application when the app is loaded inside a Page Tab.
You can get a lot of information from signed_request
require '../fb_sdk/facebook.php';
$config = array();
$config['appId'] = '45916xxxxxx';
$config['secret'] = '59caxxxxxx';
$facebook = new Facebook($config);
$facebook->setFileUploadSupport(true);
$signed_request = $facebook->getSignedRequest();
print_($signed_request); will have output like
Array
(
[algorithm] => HMAC-SHA256
[expires] => 1347210000
[issued_at] => 1347203265
[oauth_token] => AAAGhmv67ki8BAAfBwtxxxx
[page] => Array
(
[id] => 192430xxxxxx
[liked] => 1
[admin] => 1
)
[user] => Array
(
[country] => in
[locale] => en_US
[age] => Array
(
[min] => 21
)
)
[user_id] => 10000020xxxxx
)
You can use $signed_request[page][admin] value to determine whether a user is admin of current page, in which your app in loaded in Page Tab. If it's set to 1 then user is admin of the page else not an admin i.e. set to 0.
More About Signed Request
i had some luck using admin_only = true
https://developers.facebook.com/docs/graph-api/reference/user/groups/

Facebook Graph API - Same access token for all users

I have been madly trying to get access token for my users since long. I read at many sites to get it somehow by using getSession() and getting access_token from it... it gives me undefined function error.. I googled that too and all solutions said to use the updated SDK but mine is updated and it still won't work... so I finally got another solution to getting access token but this seems to be giving same access token for all users... any idea where the problem lies? All users certainly can't have same token right?
$app_id = $facebook->getAppId();
$app_secret = $facebook->getApiSecret();
function callFb($url, $params)
{
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $url,
CURLOPT_POSTFIELDS => http_build_query($params),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_VERBOSE => true
));
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$params=array('client_id'=>$app_id, 'type'=>'client_cred', 'client_secret'=>$app_secret);
$url = "https://graph.facebook.com/oauth/access_token";
$access_token = callFb($url, $params);
$access_token = substr($access_token, strpos($access_token, "=")+1, strlen($access_token));
The issue is that you are asking for type=client_cred, which tells Facebook that you don't want access token for a user, but an access token for the app. This is used for doing things like accessing insights, the realtime updates API, and public data. If you want to get user data, you should not be passing that flag.
If you really do want to roll your own access to the Graph API, you can certainly do that, following the instructions at https://developers.facebook.com/docs/authentication/ .
You say you're using the PHP SDK but I don't see any mention of it anywhere in your code.
The proper way is this:
<?php
require('facebook.php');
$fb = new Facebook(array('appId' => APP_ID, 'secret' => SECRET));
$user = $fb->getUser();
// if we have a valid user, we're logged in
if ($user)
{
// do stuff with the API using the $fb object
}
else
{
// redirect the user to the authentication page
header("Location: ".$fb->getLoginUrl());
}
Example largely paraphrased from Facebook's SDK Github.