I am trying to build a REST API that will login to Facebook using socialite with lumen, a micro-service of Laravel. I have set up my Facebook app and configured the client_id, secret and access url accordingly.
The work flow is:
Here is the work flow
1.get user details from socialite
2.check the user existence with email ,if its exists execute auth::login, otherwise create a new record in users table and redirect to profile.
The program now redirects me to Facebook, however once the user presses the login button, it returns the following error:
Client error: `POST https://graph.facebook.com/v3.3/oauth/access_token` resulted in a `400 Bad Request` response:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"error_subcode":*****,"f (truncated...)
I am confused as it has not been long since I generated the token and no user login/ permissions have changed, so the token should not be expired. Do I need to store the access token in a database in order to grant the user permission or is there some way to store it in a user's browser session?(I already have a database configured on forge for user name and email)
Related
I'm using django-oauth-toolkit with djangorestframework where our partner user will register their application and get application credentials (client id and client secret) which then used to get access token that can be used further to get our server resources. Upto now I'm able to convert those form based application registration process and other apis through rest. But while I hit for access_token only access token with expire are coming as response. Refresh token also supposed to come along the access token but it's not. What I'm missing here...
Below is the sample api response for access_token
And the oauth2 settings
FYI: I'm using Client type as "Confidential" and Authorization grant type as "Client Credentials"
Findings: This may be helpful for others
There is no need for refresh token for grant type client credentials.
Further descriptions RFC doc ; grant type client credentials
I trying to revoke all permission on withdrawl user
facebook document said will be conducted by calling Url with 'user access token or app access token
https://graph.facebook.com/me/{user_id}/permissions
but i cant attaching user access token in this request, but i can attach app access token in query params.
so i requested this url with app access token, but response message is
"An active access token must be used to query information about the current user."
Can I really request it with an app access token?
/me/{user_id}/ makes no sense as request path here.
You either use /me, in combination with a user or page token - then that alias will resolve to the actual ID of the entity the token belongs to.
Or you use an app-scoped user ID directly.
If you want to perform any actions on a user account using the app access token, then you must use the second version.
https://graph.facebook.com/{user_id}/permissions?access_token={app_access_token}
We have REST Web API written in .NET CORE, which are used on REACT SPA, we are using OKTA with PKCE.
For our API(s) we have end to end test cases written using postman/newman, the API(s) depend on JWT access token for finding user details.
How can I get access token from OKTA for PKCE flow without user interaction?
I followed this for getting access token but even this one throws a browser window for username/password.
https://developer.okta.com/docs/guides/implement-oauth-for-okta/request-access-token/
Is there a way I can pass username and password in the payload and get access token back?
In essence I am after a flow which lets me fetch access token using resource owner username and password on PKCE flow.
It seems with SPA configuration it isn't possible as per OAuth specifications.
Had to create a native app with PKCE and used "Get Access Token with Resource Owner Password Credentials" API in the postman collection available on OKTA
How can I get a Facebook access token that will grant permission to request information on events that the user has RSVP'd to (interested or attending)? My current method works for my user, but not other users.
My current method:
I'm using the Facebook Javascript SDK to log in as a user, get an access token, and then query the graph API to get data about events that the user has logged into.
The route I'm hitting to get event data is (pseudo):
https://developers.facebook.com/docs/graph-api/reference/v2.12/event
Or in my code (pseudo)
https://graph.facebook.com/v2.12/{event-id}?{access-token}&fields={fields}
When the app logs in as my own user (also admin of app), I get an access token that can be used to query the event route successfully, but when it logs in with another user, I get a failure when hitting the event route with the API token I receive:
"Unsupported get request. Object with ID '466582570713258' does not exist, cannot be loaded due to missing permissions, or does not support this operation."
According to Facebook's API documentation, it states that my app needs the user_events permission to hit the event api endpoint that I'm looking for:
https://developers.facebook.com/docs/graph-api/reference/v2.12/event
I went through the verify process and requested that permission for my app, which now has these approved:
PERMISSIONS
email
Provides access to the person's primary email address. This permission is approved by default.
public_profile
Provides access to a person's name and profile picture. This permission is approved by default.
user_events
Provides access to a person's events.
If I grab the API token I get back when logging in as a user (other than myself), it does say that user_events scope was granted, which would seem to be sufficient to get a response from the event endpoint. But it is failing as above.
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]