There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
Related
How can I get a Facebook access token that will grant permission to request information on events that the user has RSVP'd to (interested or attending)? My current method works for my user, but not other users.
My current method:
I'm using the Facebook Javascript SDK to log in as a user, get an access token, and then query the graph API to get data about events that the user has logged into.
The route I'm hitting to get event data is (pseudo):
https://developers.facebook.com/docs/graph-api/reference/v2.12/event
Or in my code (pseudo)
https://graph.facebook.com/v2.12/{event-id}?{access-token}&fields={fields}
When the app logs in as my own user (also admin of app), I get an access token that can be used to query the event route successfully, but when it logs in with another user, I get a failure when hitting the event route with the API token I receive:
"Unsupported get request. Object with ID '466582570713258' does not exist, cannot be loaded due to missing permissions, or does not support this operation."
According to Facebook's API documentation, it states that my app needs the user_events permission to hit the event api endpoint that I'm looking for:
https://developers.facebook.com/docs/graph-api/reference/v2.12/event
I went through the verify process and requested that permission for my app, which now has these approved:
PERMISSIONS
email
Provides access to the person's primary email address. This permission is approved by default.
public_profile
Provides access to a person's name and profile picture. This permission is approved by default.
user_events
Provides access to a person's events.
If I grab the API token I get back when logging in as a user (other than myself), it does say that user_events scope was granted, which would seem to be sufficient to get a response from the event endpoint. But it is failing as above.
I have a social media-type web app and want to have some read-only access even when a user isn't logged in. For example, if the user votes on a poll, I want nothing to happen but the user should still be able to see it. I am using token authorization. I'm wondering, should I do a check on the front-end somehow to see if a user is logged in (perhaps checking for the existence of a token in local storage) and not perform a fetch if they're not? Or should I somehow, in the frontend, handle receiving a 401 response from the backend for trying to access a protected resource? Or should I handle it on the back end and send back a 200 response and let the front end handle receiving a different version of a 200 response?
I'm using Django and React
Question has tag django-rest-framework so I suppose you are using it.
Take a look at DRF permissions documentation. There is IsAuthenticatedOrReadOnly permission which allows read-only access for unauthenticated users (list, retrieve actions), but only allows create, update, delete to authenticated users.
I can successfully pull statistics from the FB API using the temporary access token, however I followed the instructions to generate a token that never expires from this thread.
Long-lasting FB access-token for server to pull FB page info
It does indeed work. But then when trying to using this Page token I get the following error:
Fatal error: Uncaught exception 'FacebookAds\Http\Exception\AuthorizationException' with message '(#272) This Ads API call requires the user to be admin of the application. User XXXXXX not admin or developer for application XXXXXXX.' in
C:\www\projects\dashboard2014\vendor\facebook\php-ads-sdk\src\FacebookAds\Http\Exception\RequestException.php on line 129
However the user is an Admin of the application! I can see it in the application settings. Also I can see the token has the following permissions:
"perms": [
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
In the App settings I also put the Ad account ID in the "Authorized Ad Account IDs" field and this doesn't work still.
If I use the temporary access token from the Graph API Explorer then I am able to pull in data from any campaign in the ad account with no problem, the problems seems to be that this is a Page access token, so there's a slight difference somewhere but I can't seem to work it out?
I don't mind having a different long life access token for every Page rather than just one for the whole account however it's not working. Thanks
I'm trying to post a score from my server.
I have my app set up as a game.
I've got my app access token.
I'm POSTing to https://graph.facebook.com/USER_ID/scores
I have authorized and given publish_stream and publish_actions permissions to my app for the USER_ID (which is me).
However, an error is telling me that I need a user access token for that action, which I don't as Facebook states here: https://developers.facebook.com/docs/score/
Create or update a score for a user
You can post a score or a user by issuing an HTTP POST request to
/USER_ID/scores with the app access_token as long as you have the
publish_actions permission.
I've seen a similar question but it was unanswered: Facebook Graph API Explorer won't POST scores (they've ended up creating a new app, which is not a real solution)
To verify that it's not me who is incorrectly using the API, I went to Graph API explorer and tried it also there with the same access token, no luck:
Funny, that if I follow what it says and try the same with my user access token, it then says: This method must be called with an app access_token.
Is there something that I'm missing or is there a bug with the Graph API?
Thanks,
Can.
It looks like you have everything correct, but there's one relatively little-known case which will produce that error message.
Check the 'App Type' field in the Advanced Settings:
If this is set to 'Native/Desktop' instead of 'Web' in the Advanced settings, it's assumed that your app's binary/native distribution contains the app secret.
In this configuration, API calls made with the app access token are untrusted, effectively the token is completely ignored.
Change the app settings back to 'Web' and you should be able to post or delete Scores and/or Achievements with the App Access Token
If this is the issue, you can quickly verify if with a call to
https://graph.facebook.com/app?fields=migrations&access_token=[APP ACCESS TOKEN HERE]
In 'Web' mode, the response contains the migration settings for the app, something like:
{
"migrations": {
"secure_stream_urls": false,
"expiring_offline_access_tokens": false,
"requires_login_secret": false,
//etc
}
In 'Native/Desktop' mode, the app access token is untrusted, so you can't access the app's private data, and the response is:
{
"error": {
"message": "An unknown error has occurred.",
"type": "OAuthException",
"code": 1
}
}
I'm planning out adding Facebook integration to a web app I'm working on. For the most part, it's proceeding smoothly, but I am confused on the proper way to handle the OAuth token.
The sequence of events presented by Facebook here is:
Ask the user to authorize your application, which sends them to a Facebook window.
This will return an Authorization Code generated by Facebook
You then hit https://graph.facebook.com/oauth/access_token with your Authorization Code, which will give you a time-limited OAuth token.
Using the OAuth token, you can make requests to access the user's Facebook profile.
Facebook's documentation has the following to say about token expiration:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
When they say to re-run the steps above, what steps need to be re-run to get a new OAuth token? What data (Facebook UID, Authorization Code, OAuth token) does it make sense to save to my local database?
I would like to be able to have the user continue to interact with my site, and in response to certain user actions, I would like to be able to prompt to user if they want to post something to their Facebook wall.
The access token is time and session based and is unnecessary data to store and have no use after the user have closed the session.
The facebook uid is the only thing you need to identify the user.
Since the Facebook API sometimes is horrible slow you could store the username aswell.
But for identification, all you need is the uid.
The documentation that facebook provides has been updated since you asked this question. https://developers.facebook.com/docs/authentication/.