We trying to make updates to FB pages from an external system.
In order to use the Facebook API an access token is required.
We are able to get a short-lived access token by using the Facebook API Explorer. The short-lived token lasts about 2 hours.
Based on what we have read, it is possible to get a long-lived token which lasts about 60 days however this must be done programmatically and only Facebook Applications.
The typical FB App acts like a Web page asking for permission to access a user's account and do things with that account. In order to request a long-lived token you must include an Application’s key and secret key.
As a personal user we are able to register as a Facebook developer, create a 'dummy App' and successfully generate a long-term token to use.
The issue is, we are a business user. The Facebook account is a business account as opposed to a personal account and you cannot create an Application for that account.
Since we can’t have users create and use a dummy App for a business type account we don’t have a way to generate a long-lived token in that case.
Why doesn't FB allow apps for business accounts? Or more importantly, does anyone know how to generate a long lived token for a FB business account?
There should be no reason a business account can't get a long-lived access token, that's one of the primary purposes of business accounts, managing ads and pages via the API
Only real, verified, personal users should be the owner/developer/admin of an app, but an app's users don't necessarily need to be regular users.
There's a bug right now about business accounts not being able to get 60 day tokens. That bug excluded, business accounts should be able to get 60 day tokens the same way a personal user does.
Related
That Facebook Graph API docs are not the best in the world I guess it's something more than well known.
The fact is that we are creating an app to access to Instagram Business Accounts data. Facebook documentation, in the Getting started guide, says to use manage_pages permission to get the list of instagram business accounts linked to pages. The problem of that permission is that requires application review and that, under our previous experience, takes between 4 and 6 weeks to happen. Also, we don't want to manage user pages, just get the Instagram Business Accounts linked to them.
So we have tried to use pages_show_list instead. But in the tests I have made, I only can see the Instagram Business Account linked to a page I manage, while using manage_pages(same query on Graph API Explorer) I get the two Instagram Business Accounts I have linked to Facebook pages. I have the same tasks (roles) for both pages.
That makes me wonder if it's that pages_show_list for whatever reason doesn't work for that, or it's something specific about the second page/Instagram Business Account that I do not achieve to understand.
After some tests looks like manage_pages is a must to get Instagram Business Accounts connected to Facebook Pages.
After three different users testing, each of them owning two different Facebook Pages connected to two different Instagram Business Accounts, I was the only one who achieved to see one of the Instagram accounts with a token with pages_show_list granted permission.
Why I can see that account? I don't know, but definitely that's the weird case and it's not possible, in general, get the Instagram Business Account connected to a Facebook Page with a user token with pages_show_list as permission instead of manage_pages.
UPDATE: I've finally find a hint on the documentation. Looks like the difference is made if the role permissions to the Page are granted to the user via Business Manager or not. If they have been granted in that way, apart from pages_show_list, in theory one of manages_pages, business_management or ads_management permissions are needed.
Even when I don't know how to know if the Page permissions/role has been given in that way, I've tried it and it worked for me with pages_show_list + manage_pages and pages_show_list + business_management but not with pages_show_list + ads_management.
We have an app which could login via Facebook or Instagram. And we will pull some basic information of the user's from the site if you do so. We want to update all those basic informations at a certain period of time by the backend. It's not necessary for us to update informations while the user is using the app. I think update the basic information is just a test. The company might want to give some useful recommendations to the client for some commercial reasons. Any way, I checked that Facebook access token will live for 60 days,Instagram access token will not expire for now. May I refresh access token at backend without user involved?
There is no way to refresh the User Token automatically (on the server), it needs user interaction. Else, it would be pointless to implement a 60 days limit.
I'm using Ember 2.3 with Ember Simple Auth 1.0 and am wondering if anyone had any suggestions on the best approach to handle the following situation:
With the particular industry my platform serves, most staff are actually independent contractors and therefore could belong to multiple businesses. With that said, I have some specific requirements that I'm trying to address:
Avoid having to create a separate account with separate credentials for each business the staff member belongs to.
Allow credentials to be revoked at any time for a particular account.
Allow for account-level permissions.
Make it simple to switch accounts from inside the application without having to fully-reauthenticate.
To achieve this, my initial implementation is based around issuing a single JWT (using ember-simple-auth-token) for each user account. The proposed authentication flow would be as follows:
User logs in with username and password
System authenticates and if credentials are valid, return a token for each account.
If the system returns no tokens, return an error.
If the system returns a single token, use that token by default and redirect to the authenticated area of the site.
If the system returns more than one token, display a list of the accounts associated with those tokens and allow the user to choose the one in which they will be assuming the role of at that point.
What to do when the system returns more than one token is where I have questions:
Is there a way to "intercept" to allow the user to choose which account/token to use before ESA commits the token to the session in local storage?
If I want the user to be able to switch accounts, is it just a matter of swapping out the token value in local storage?
If there's anything else I should consider, I'd appreciate the feedback. If you also happen to think this is a terrible approach and have some feedback, I'd absolutely love it.
Cheers.
From ESA's perspective the user would be authenticated when the backend responds with one or more tokens (you'll have to implement a custom authenticator and authorizer of course). The fact that the session actually contains multiple tokens for multiple accounts isn't relevant for ESA really - that would be sth. that you'd need to handle in your application code instead.
Once the session is authenticated with one or more tokens, you can access them via the session's data.authenticated property, e.g. this.get('session.data.authenticated.tokens') etc. You could store the currently active account the user wants to use in the session's non-authenticated area, e.g. this.get('session.data').set('activeToken', 'whatever').
I am building an in-house application which would accumulate the information from several social networks at once. Possibly, the URL of the application will not be known or it will not be allowed anywhere outside localhost.
One of the information pieces I will be accumulating is FQL insights table information: https://developers.facebook.com/docs/reference/fql/insights/ . As you may notice, this information is private, so I just cannot fetch it anonymously.
The application itself is written in a "configure once and use forever" fashion, and possibly the person using the application will not be allowed to the Facebook login credentials at all.
My problem is the Facebook login. As I understand the login with "forever access" is now deprecated and Facebook does not allow API access the same way as Twitter does (creating the forever lasting key and forgetting about it). Question is:
Is there any way to overcome the fact that I need to ask the person for permissions every time I would like to fetch them? What can be the longest period between asking?
My current thoughts about it are:
Creating a dummy user for the 'manager' and giving him read-only
access to FB pages, therefore enabling him to log in to the account.
Then asking him for the permissions every (n) hours when I need them.
Automatic log in to the FB account given that we have the
login/password for the account and obtaining the API key myself.
Which is doable? Did anyone have any experience in doing this kind of things?
What can be the longest period between asking?
You can use Long-lived user access_token which is valid for 60 days.Use below FB call to get extended access token:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
You can check more details here:
https://developers.facebook.com/roadmap/offline-access-removal/
One more point which is worth to note here:
When a user change his password, deauthorizes an app their OAuth token get expired.
Hope this help !
I created web application using Facebook C# SDK 5.3.2. I can post messages to my wall. But I want to collect access tokens for my friends' Facebook accounts and store them to use later to post messages to their wall.
Is it possible to get their access token with their Facebook account info. I can get access token for myself with "App ID" and "App Secret. Do I need also add application for my friends' Facebook to get this credentials.
You don't need to store access_token for any user, since it's something time based.
Instead ask for publish_stream permission and post messages to their wall using application access_token
From Facebook documentation on publish_stream permission:
Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user-initiated sharing model.
the only way to get it done, is that your friends login into your application with their accounts and grant you the publish permission (if you want to publish when they are online) and the offline_access permission, to publish in any moment.
You have to think in the big security issue that this situation potentially represents.
Good luck.