I have built a facebook app a couple of months ago and recently it started using the permission business_management.
I would like to know where this permission is used because the app never uses the endpoints /business, /business-user and /business-role-request as described here: business_management
My app uses the following endpoints:
/accounts with the fields id, access_token and name
/oauth/access_token?grant_type=fb_exchange_token to receive long lived access token
/{pageid}/posts with the fields message, updated_time, created_time, permalink_url, full_picture and message_tags
And thats it. There is no use of business_management. Is there a possibility to check where the endpoint is called?
I'm using graph api v6.0
Related
I would like to link users interacting with ShoppingPage to existing account on ShoppingMobile app if any. In other words, the use case "Given a user ID for a bot in Messenger, retrieve the IDs for apps owned by the same business" described in https://developers.facebook.com/docs/messenger-platform/identity/id-matching/#given-a-user-id-for-a-bot-in-messenger--retrieve-the-ids-for-apps-owned-by-the-same-business
I have 2 apps and 2 pages owned by the same business account:
Apps
ShoppingMobile - app with iOS and Android platforms and Facebook login enabled
1.1. ShoppingMobileTest - Test app created from ShoppingMobile
ShoppingBot - app with only Messenger and Webhook configured. Not applied for manage_pages and pages_messaging permissions yet.
2.1. ShoppingBotTest - Test app created from ShoppingBot
Pages
ShoppingPage - managed by ShoppingBot
ShoppingPageBeta - managed by ShoppingBotTest
During development, I tried to get ASIDs from PSID generated by ShoppingBotTest app using GET /{psid}/ids_to_apps endpoint. When using my own PSID (the same account that generates page access token), I can get associated ASIDs as expected.
https://developers.facebook.com/tools/explorer/2864546363594516/?method=GET&path=2090502677643890%2Fids_for_apps&version=v6.0
However, when I tried another PSID of my colleague who has Tester role in ShoppingBotTest app, empty result is returned. I already made sure both I and my colleague logged in ShoppingMobileTest app using the same account as the one interacting with ShoppingBotTest.
https://developers.facebook.com/tools/explorer/2864546363594516/?method=GET&path=3755682274504767%2Fids_for_apps&version=v6.0
The odd thing is, when I made my colleague generate page access token and retry with this token, I can get my colleage’s ASIDs as expected and my PSID returns empty result. It seems GET /{psid}/ids_to_apps only returns result when using with page access token PSID owner generated.
What could I do to ensure PSID-to-ASID matching would work with every user before submit ShoppingBot for App Review for manage_pages and pages_messaging permissions?
I am hitting a wall while developing seamless integration of a Facebook page with my bot.
Essentially I want to achieve same integration than Chatfuel or Manychat have, where being logged in with your Facebook account lets you to just choose what page you are connecting to them and you are good to go.
The problem I am facing is generating the proper token in order to bind the selected page to my app (bot). As per Facebook documentation:
When you create a subscribed_apps edge, the page-id you use in endpoint must match the page ID of the page access token used in the API call. The app that the access token is for is installed for the page.
Given the call has no other parameter than the access token, this access token has to be enough for Facebook to:
Authorize the action on the page.
Identify what app is being subscribed to the page.
This is confirmed while using the Facebook Graph API Explorer, where one selects the page and the app to bind and a proper access token is generated:
This token properly works using cURL in the terminal:
$ curl -X POST 'https://graph.facebook.com/v3.0/<MY_APP_ID_HERE>/subscribed_apps?access_token=<TOKEN_PASTED_FROM_GRAPH_API_EXPLORER>'
{"success":true}
With the Facebook Access token debugger (info icon on the left of the access token, then open in Access token tool), it is confirmed that the token knows about both the page and the app that have to be connected.
The question is, how are these page-app related token programmatically produced? I can't seem to find the proper API call in Facebook documentation and it is by all means possible, as Chatfuel and Manychat are doing this.
Thanks in advance for your support Lars Schwarz and community!
Adding some detail to Alex's answer, for it to be more complete.
When subscribing an app to a page, Facebook needs to:
Know what app you are talking about.
Know what page you are talking about.
Know that you have permissions on that page to subscribe an app.
How does Facebook know it all?
1 comes from the fact that Facebook login happens in the context of a page, actually, the Javascript code for Facebook contains your appId:
js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0&appId=<YOUR_APP_ID_IS_HERE>&autoLogAppEvents=1';
2 Comes from the page_id in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
3 Comes from the access token, obtained in the context of an APP through Facebook login, that is passed as parameter in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
To do this, you need to put FB Login on your site/customer portal and request pages_messaging and manage_pages permissions. The person that logs in must be a Page Admin.
Once your app has been granted that permission for the page, you can generate a page access token as described here:
https://developers.facebook.com/docs/pages/access-tokens
All mutual friends request made from my app server (node) (also tried the Facebook API explorer) suddenly started returning an empty array for the data field. I confirmed and validated my access token and appsecret_proof on the API explorer. Do you know what has changed or what the request below is missing?
Note: both users use the app and have granted user_friends permission.
I am using v2.12
request
{
url: 'https://graph.facebook.com/v2.12/{user-facebookid}?fields=context.fields(all_mutual_friends.limit(5000))',
qs: {access_token: 'XXXXX'
,
appsecret_proof: crypto.createHmac('sha256', clientSecret).update(accessToken).digest('hex')
}
Yep. Facebook has taken down the Graph API for page access tokens. The only way to retrieve data (or was a week or so ago), was a temporary user token that lasts about 2 hours. It's totally broken my band's schedule page. I've been through every avenue and even spoke with a facebook ad team employee on the phone that was aware of it. She seemed to empathize but had no solution for me. I would count on it being down for a while.
I have finally figured out a work around for this. On your fb application, you have to disable the secret key requirement. This can be found under the advance settings of your fb application console. It's called "
Require App Secret".
Once you generate a fb PAGE access token, you get a fb page token, and then extend it.
here is the token debugger:
https://developers.facebook.com/tools/explorer/
You can extend the access token programmatically as explained here:
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
AND
https://developers.facebook.com/docs/facebook-login/access-tokens/#pagetokens
There is also an extend tool in the access token debugger.
We are having a facebook App we have detected some abusive users so we want to stop them from logging into our app, Any thoughts? There are examples given but Fb docs say those api's are deprecated now
You could just detect them on your own and set a flag in your database. They will still be able to use Facebook Login, but they will not be able to do anything in your App if they are flagged.
Either way, i did some Google research and found out that it may be possible with a simple POST (or DELETE) request to the /app-id/banned endpoint:
BAN
https://graph.facebook.com/{app-id}/banned
POST parameters:
access_token (A simple App Access Token)
uid (comma separated list of user IDs)
UNBAN
https://graph.facebook.com/{app-id}/banned/{user-id}
DELETE request, only access_token as parameter
It is not really documented though, but easy to test.
I am trying to use the Google Contacts API and the Python / GDATA client handlers to access Contacts via OAuth 2.0 for users in the domain. I'm ultimately wanting to create a web service to add contacts for users, but the first step is getting this test working.
I can access my own Contacts just fine if I use the default URI. However, when I pass in the email address to construct the URI for another user, I can't seem to access the other user's Contacts. Here is the code that I'm using:
client.GetContacts(uri=client.GetFeedUri(contact_list=userEmail))
A 403 error is returned when I execute this.
gdata.client.RequestError: Server responded with: 403
Your client does not have permission to get URL /m8/feeds/contacts/<userEmail>/full from this server.
Mostly just trying to understand if what I'm attempting here is even possible. In the Email Settings API, for example, you can get authenticated to the domain and pass in a user's email to list their labels, add filters, etc. So, I would anticipate that the Contacts API would work the same, though handled slightly differently, i.e. modifying the URI, instead of just passing in an argument to the client handler. Please let me know if I am wrong in that presumption.
For authorization, I'm getting the details using flow_from_clientsecrets, then getting the token to authorize the ContactsClient for the domain. Again, I can access my own contacts fine, so authorization seems OK, but I can't access other users' contacts.
client = token.authorize(ContactsClient(domain=domain))
Seems like I'm missing something with respect to accessing other users. Is anybody able to assist me over this hump? Here are some things that I've checked / confirmed:
Contacts API is enabled for the project
Scopes have been authorized for the Client ID in the control panel > Manage 3rd party access
I am a Super Admin in the domain.
Thanks for your time!
I figured out the answer here from another post with exceptional detail:
Domain-Wide Access to Google GDATA APIs
You need to use "Service Account" authentication. For some reason, I was thinking that would only work with the newer discovery-based APIs. But, service account access also works for GDATA APIs. I can access all the Contacts for users in the domain now.