In our web application a user grants us access to their Facebook account, which gives us their long term access token. The user then makes a choice if the integration should be for their user timeline or for a specific Facebook page that they administrate. If they pick a page then we swap out their user access token with their page access token and go on our merry way. That has been successfully live for a while.
Now I want to add some code so if you are authenticated against a page we can query for the engagements field (/me?fields=engagement) (essentially the details about like counts for the page). However, this query obviously fails if you navigate to this resource with a user access token, because there is no "engagement" field on User.
Is there some way I can query the "/me" api resource and know if it's a user or a page without parsing the error message?
Related
I have an app for which User A (me) and User B (client) are both admins. In addition, both users are admins on the page account as well. When I (as user A):
go to the Graph API Explorer
select the appropriate app
select page token
select the appropriate permissions (email, manage_pages, pages_show_list, ads_management)
copy generated token
I can then go to the debug tool and paste it in to see that my new page token will expire in ~1 hour. Clicking on "Extend Access Token" gives me a new token and says "This new long-lived access token will never expire". Debugging this new token gives me an expiration date of "Never".
If User B follows these same steps (confirmed with me watching), after clicking on "Extend Access Token" the new token has an expiration date of 2 months.
The information I've found from various sources has said that the only requirement for a forever token is that the user is both a page and app admin which is satisfied here. What else would be causing User B to not receive forever tokens?
I don't understand something important about permissions and how to grant them. I've made a Facebook page, and I've made an app. I would like the app to be able to post to the page.
Below is my code. I'm using the fb_graph ruby gem, btw (https://github.com/nov/fb_graph)
app = FbGraph::Application.new('531508086900000000', :secret => 'd705fda7275125913a10000000000')
token = app.get_access_token
page = FbGraph::Page.new('000000000000000')
note = page.note!( :access_token => token, :subject => 'testing', :message => 'Hey, testing you!')
And this is the error:
FbGraph::Unauthorized: OAuthException :: (#200) Requires extended permission: publish_actions
I've looked everywhere I can think of on both the app and the page settings but can't figure out how to do this. Help appreciated!
You need to grant access via a user access token.
The current token in your case is an application access token.
Use one of the methods listed at https://developers.facebook.com/docs/facebook-login/permissions/v2.1#adding
Specifically https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1#login
I voted up phwd's answer for the help s/he was to me here and in IRC. But it still wasn't really enough information to make sense of why this is so hard. I've decided to post my current working understanding of how this works. These are just my own notes, so I'm sorry in advance for anything unintelligible.
So, getting the right access tokens is f***ing hard, and here's my current understanding:
In order to get a token that last forever so that my app can post to a page I have to do this:
1. Create a short-lived user access token with the right scope for the app (manage_pages, publish_actions) using the explorer
- page access tokens can be obtained via /me/accounts from the explorer page
- if the user access token that is "live" during the /me/accounts request is short lived then this page access token will be too
- if it is an extended long-lived token the page access token will have no expiry according to https://developers.facebook.com/docs/facebook-login/access-tokens
2. Extend short-lived user access token to a long-lived one via a graph api call, also using exploer (see below)
3. Execute the /me/accounts call to get a page token that doesn't expire
How to get a long lived user access token
oauth/access_token?grant_type=fb_exchange_token&client_id=531------------&client_secret=e005f031ba3d98------------------&fb_exchange_token=CAAHjZA163IbMBAMKSeFTmeV9------------------------------------------------------------------------------------------------------------------------------------------------fonA4P4bPhhdveMLvZBKldEGCB7EvF301wQv1YPrudy5kvI
where
client_id = App Id
&client_secret = App Secret
&fb_exchange_token = short lived user access token via explorer with proper scope
This gives you the following long lived access token
access_token=CAAHjZA163Ib---------------------------------------------------------------------------------------------------------------------------------------------------------------------ehS8g2ZBYU8uZBPmdMay3AAj5tXgAZDZD&expires=5179843
This is an extended user access_token
This token can be used to post to the page it was genrated for.
It can also be used to get a no-expiry page access token when used to issue /me/accounts
from facebook :
Page Access Token
These access tokens are similar to user access tokens, except that they provide permission to APIs that read, write or modify the data belonging to a Facebook Page. To obtain a page access token you need to start by obtaining a user access token and asking for the manage_pages permission. Once you have the user access token you then get the page access token via the Graph API.
I have some C# code that retrieves an access token using Facebook.JsonObject and can post to my profile wall on facebook with no problems.
However, if I try to use that same access token to retrieve details of my facebook business pages so I can post to them, then I get the message "user access token is required to request this resource".
I thought the access token I had retrieved that allowed me to post to my profile was a user access token. What is the difference, and how do I get a user access token?
This is the code I am using to get the access token:
facebook.JsonObject AuthResult = (Facebook.JsonObject)Oauth.GetApplicationAccessToken(parameters);
object Access_Token = "";
AuthResult.TryGetValue("access_token", out Access_Token);
FacebookClient FBClient = new FacebookClient(Access_Token.ToString());
More information:
I need my customer's c# application to post directly to my customer's facebook business page via code without the application "allow access" box popping up and any redirects to applicatoins taking place. Therefore I need to get the User Access Token programatically without facebook being logged in or open etc.
Any (non-sarcastic) help very gratefully received.
Thanks
I thought the access token I had retrieved that allowed me to post to my profile was a user access token.
Does that method name,
(Facebook.JsonObject)Oauth.GetApplicationAccessToken(parameters);
===========
really sound to you as if it was supposed to give back a user access token? Sorry, but to me it doesn’t …
If you are not familiar with the different types of authentication and access tokens, please read this first: https://developers.facebook.com/docs/authentication/
I'm playing around with Facebook Connect, trying to use Facebook as the means or authentication on my site. Currently my workflow looks something like this:
Go to URL
Server checks cookies for AccessToken
If AccessToken exists, automatically fill in user's name/profile picture in comment box, and leave AccessToken in hidden input
send page down to client
on submit, verify access token (which was submitted with the rest of the form) is a valid access token for a real person. If so, add comment to Database
refresh page to display new data
if no access token, replace user's name/profile picture with <fb:login-button>, along with the required <script>s.
send page down to client
When user authorizes page/logs into facebook, refresh page
(go back to top, except this time the access token should exist)
So I have a few questions:
Is this secure? I was thinking of ways i would be able to do without the double authentication with Facebook (checking once on page-generation and checking again on comment-submission), and I could not figure any other way short of maintaining my own session-state with each client. Is that worth doing?
Does the access token expire when i log out of Facebook? I'm thinking it should, but it seems I can continue to use the same access token to grab data (i.e. name, url, etc.) after I manually go to Facebook and log myself out. Is it because I'm only asking for public information, and only more intrusive permissions expire on logout?
Given that each person who wants to do something has to provide a unique token from Facebook, this should have the side effect of blocking CSRF, since every action can be traced to a valid Facebook account. Is that right?
Why don't you just use the Facebook Javascript SDK to detect if they're currently logged into Facebook? This will also make the access token available in Javascript so you can make client-side calls to the API.
You can access the same access token server side via the session cookie set by Facebook also.
I can't answer all of your questions but I can tell you that having the access token in a hidden field on your page is risky from a policy perspective, especially if your page can be read by any third-party code such as Google Analytics or AdSense. Facebook will nail you for this as it is leaking user identifying data to third parties. The Facebook userid is in the access token in plain text. Facebook has automated processes that scan for this stuff and will auto-ban your app if it is leaking userids to third parties.
I was reading about FB Graph API in this page. Please see the section Authorization
They say that
At a high level, you need to get an
access token for the Facebook user.
I am confused. How do i get the logeed in users access token in my website
https://developers.facebook.com/docs/reference/api/
You don't get a logged in user's access token. Once a user is authenticated, you receive an access token to be able to see/manipulate that user's data, depending on what permissions you have requested from that user.
This is well documented in the "Authentication" section of the developer documentation: https://developers.facebook.com/docs/authentication/