My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.
Related
Inching closer...
I am building a contacts synchronization facility into our product (with PHP/javascript). We are using an incremental approach for access - initially requesting a base set of scopes, then we want to expand these scopes when (if) our client decides to use the extra facility.
Base set:
www.googleapis.com/auth/plus.login
www.googleapis.com/auth/plus.me
www.googleapis.com/auth/userinfo.email
Extended with:
www.google.com/m8/feeds
www.googleapis.com/auth/contacts
I can get the extra scopes using the gapi.auth.signIn() call, but that doesn't seem to give me a "permanent" access token to use - later requests to the API in PHP don't show the new scopes. Does that mean I have to have an explicit call to the gapi function any time I want the frontend to access contacts?
Also, how do I get an offline token that I can use for the background process that will do the synchronization? Do I have to have a separate token for offline access? Can I mix offline and online access using the same token, or do I have to have one of each?
thanks,
andy
The difference between both online and offline access is that when you request an access token, this token will expire after certain time, usually 60 mins. After it expires the user will have to provide again the credentials so you can receive a new token.
In this case it is an "online" token.
When requesting the access token and you provide the parameter access_type=offline you will receive a refresh token. After the access token expires, you can request a new request token using the refresh token so it is not necessary that the user provides again the credentials.
Here you can find more information about that: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
hope it helps.
I have an application, that runs on server. On that server is background task, that will post status update on few social networks (Facebook, Twitter, G+). It must be completely server-side.
In Twitter API I'm able to use OAuth header to authorize API request. OAuth HTTP header uses consumer key, consumer secret, access token and access token secret to create the header. With this I'm able to post/update/delete tweets with no user interaction.
How can I do this for Facebook? I found a solution to obtain a long-lived access_token (2 months), but we don't want to regenerate access_token every 60 days. We want to use it for manage our Facebook page - post status updates, but completely server-side.
Am I able to do this for Facebook? Thanks for answers.
PS: I searched stackoverflow hundred-times but with no solution for my problem.
Thanks.
It is not possible for User Access Tokens (they can only be extended to 60 days and need to be refreshed by the user after that), but for posting to a Page you should use a Page Token anyway. An Extended Page Token is valid forever.
Here are some Links to help you get that Extended Page Token:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
http://www.devils-heaven.com/extended-page-access-tokens-curl/
A Page Token will post "as Page" btw, but that´s probably what you want. And auto-posting on user profiles is not really allowed anyway, every message has to be 100% user generated and every posting should get authorized by the user.
Pay attention to Access Tokens Expiration & Extentions.
The Page Access Token could be a good solution to only server side calls for testing and data analysis purposes.
Take your User Access Token from Graph API Tool
Extend your User Access Token
Call https://graph.facebook.com/v2.11/me/accounts with your user access token extended
*all calls are GET and this procedure does not use APP Access Token.
On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.
as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.
How can I modify this to get permissions for offline_access and others
"https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id="+appId+"&client_secret=" + appSecret;
I don't think you can. The url you are using looks like the one used to get an access token for adminstrative actions on behalf of an app. I.e. Graph api calls requiring an app access token such as access to app Insights.
Offline access, as far as I know, applies only to performing actions on behalf of a user e.g. posting to their wall.
Maybe you are looking for something more like this?
https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=offline_access,email,read_stream,etc
Assuming you have already know about the authentication guide, but just in case:
http://developers.facebook.com/docs/authentication/
Facebook has two flows for Authentication, client-side and server-side. When should each one be used?
Facebook docs: https://developers.facebook.com/docs/authentication/
Possibly related: What is the purpose of the implicit grant authorization type in OAuth 2?
Depending on your needs you can use one or the other or both. If you want calls to facebook to be processed before the user sees a certain page then use server side... however if you want to display partial information until the user has authenticated, use javascript authentication.
It boils down to this:
Javascript authentication can happen with-in a popup window and does not require a page reload you can also just perform a top.location.href redirect.
PHP authentication involves a redirect to an authentication page.
Also see this thread, in particular this response.
To add to #Lix's answer, I would say:
Client Side Authentication
When you want some information from Facebook API about the user that is required once, as in you only need to get it once like the user's name and email.
When you want to temporarily access/manage the user's information/data and don't need to do it often.
You get a temporary token, which is valid only for a few hours and you need to get a new token to call the Facebook API again after it has expired (which requires the user has to grant permission again).
Server Side Authentication
You want to manage the user's data (on their behalf) after the user has left your website/app. Example, gathering the user's feed/timeline data on a regular basis.
When you want to access/manage the user's information/data in a recurring fashion untill the user hasn't revoked access to your client id (represented by a Facebook app).
You get both a temporary token and a permanent token (which lasts for about 60 days at the time of writing this). You can get a new temporary token by using the permanent token every time you need to call the Facebook API (given the previous temporary token has expired) -- without bothering the user to grant permission again.
So, in short, for short term use, follow client-side authentication flow and for long term use follow server-side authentication (given you have a backend server of your own).