Posting scores with app access token - facebook-graph-api

I'm trying to post a score from my server.
I have my app set up as a game.
I've got my app access token.
I'm POSTing to https://graph.facebook.com/USER_ID/scores
I have authorized and given publish_stream and publish_actions permissions to my app for the USER_ID (which is me).
However, an error is telling me that I need a user access token for that action, which I don't as Facebook states here: https://developers.facebook.com/docs/score/
Create or update a score for a user
You can post a score or a user by issuing an HTTP POST request to
/USER_ID/scores with the app access_token as long as you have the
publish_actions permission.
I've seen a similar question but it was unanswered: Facebook Graph API Explorer won't POST scores (they've ended up creating a new app, which is not a real solution)
To verify that it's not me who is incorrectly using the API, I went to Graph API explorer and tried it also there with the same access token, no luck:
Funny, that if I follow what it says and try the same with my user access token, it then says: This method must be called with an app access_token.
Is there something that I'm missing or is there a bug with the Graph API?
Thanks,
Can.

It looks like you have everything correct, but there's one relatively little-known case which will produce that error message.
Check the 'App Type' field in the Advanced Settings:
If this is set to 'Native/Desktop' instead of 'Web' in the Advanced settings, it's assumed that your app's binary/native distribution contains the app secret.
In this configuration, API calls made with the app access token are untrusted, effectively the token is completely ignored.
Change the app settings back to 'Web' and you should be able to post or delete Scores and/or Achievements with the App Access Token
If this is the issue, you can quickly verify if with a call to
https://graph.facebook.com/app?fields=migrations&access_token=[APP ACCESS TOKEN HERE]
In 'Web' mode, the response contains the migration settings for the app, something like:
{
"migrations": {
"secure_stream_urls": false,
"expiring_offline_access_tokens": false,
"requires_login_secret": false,
//etc
}
In 'Native/Desktop' mode, the app access token is untrusted, so you can't access the app's private data, and the response is:
{
"error": {
"message": "An unknown error has occurred.",
"type": "OAuthException",
"code": 1
}
}

Related

Facebook Messanger. Invalid token

I'm a page admin and trying to debug messanger bot. Recently, I've changed the password and now when I try to reply to myself in messager via API I get an error
{
"error": {
"message": "Error validating access token: The session has been invalidated because the user changed their password or Facebook has changed the session for security reasons.",
"type": "OAuthException",
"code": 190,
"error_subcode": 460
}
}
The thing is I don't have an access token, to begin with, the doc says
To send messages to someone on Messenger, the conversation must be initiated by the user.
It also says
Apps in Development Mode, are restricted to message people that have a role in the app.
I've tried to
Recreate page token
Block/Unblock page and delete conversion
Tried to remove myself from admins, but that's impossible since I'm the only admin
The only option I see left is to remove the app altogether and create a new one, but that doesn't seem like a good solution
This has nothing to do with the fact that the user needs to message your page first, before the bot can respond.
Your bot needs a page token to perform its actions, and according to the error message, the one you have been using, had expired.
So the token you got set in your bot configuration needs to be replaced with a fresh, valid one.

Authorised Exception using access code which never expires

Using the Facebook Access Token Debugger I can see I have an access token that never expires.
https://developers.facebook.com/tools/debug/accesstoken/
However using the Graph Explorer I get the error
{
"error": {
"message": "(#10) To use 'Page Public Content Access', your use of this endpoint must be reviewed and approved by Facebook. To submit this 'Page Public Content Access' feature for review please read our documentation on reviewable features: https://developers.facebook.com/docs/apps/review.",
"type": "OAuthException",
"code": 10,
...
}
}
This was previously working, has something changed with Facebook? The only other thing that has changed is that my access to the Facebook App was removed then reinstated, so I now use a different access code.
Please could anyone advise what I need to do to resolve this issue, I previously did not need Facebook review to use this API last month.
Thanks
Edited: the login required screen when requesting a Page Access Token:
This is not about expiry of the token.
Facebook has restricted API access to the data of any public pages - you now need to get your app reviewed for the use of the feature “Page Public Content Access”, before you can use it.
https://developers.facebook.com/docs/apps/review/feature#reference-PAGES_ACCESS
Without getting this reviewed, you can only access data from pages you have admin access to - but that in turn requires the use of a different kind of token then, a page access token. (You presumably used the general app access token, for your requests that have been working up until now. For that to keep working to access public page data, you need to submit for review of the feature.)
Thanks to misorude for all your help. This is what worked for me:
Step 1: ask the business manager to grant the user "Manage Pages" permission on both the app and the page:
https://business.facebook.com/settings/pages/PageID?business_id=BusinessID
https://business.facebook.com/settings/apps/AppID?business_id=BusinessID
Step 2: Create the user access token (select "Get User Access Token" from the "Get Token" dropdown)
https://developers.facebook.com/tools/explorer/
Step 3: Check the user has access by calling your graph method using the temporary user access token
E.g. https://graph.facebook.com/v3.3/PageID?fields=link%2Cpicture&access_token=UserAccessToken
E.g. https://graph.facebook.com/v3.3/PageID/feed?fields=message%2Cfull_picture%2cpermalink_url%2Ccreated_time&limit=3&access_token=UserAccessToken
Step 4: Create permanent user access token
https://developers.facebook.com/tools/debug/accesstoken/
Click "Extend Access Token" at the bottom of the page and debug to reveal the token with expiry: never

How to block Facebook webhook calls for app specific users? [duplicate]

There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]

Facebook API "This Ads API call requires the user to be admin of the application"

I can successfully pull statistics from the FB API using the temporary access token, however I followed the instructions to generate a token that never expires from this thread.
Long-lasting FB access-token for server to pull FB page info
It does indeed work. But then when trying to using this Page token I get the following error:
Fatal error: Uncaught exception 'FacebookAds\Http\Exception\AuthorizationException' with message '(#272) This Ads API call requires the user to be admin of the application. User XXXXXX not admin or developer for application XXXXXXX.' in
C:\www\projects\dashboard2014\vendor\facebook\php-ads-sdk\src\FacebookAds\Http\Exception\RequestException.php on line 129
However the user is an Admin of the application! I can see it in the application settings. Also I can see the token has the following permissions:
"perms": [
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
In the App settings I also put the Ad account ID in the "Authorized Ad Account IDs" field and this doesn't work still.
If I use the temporary access token from the Graph API Explorer then I am able to pull in data from any campaign in the ad account with no problem, the problems seems to be that this is a Page access token, so there's a slight difference somewhere but I can't seem to work it out?
I don't mind having a different long life access token for every Page rather than just one for the whole account however it's not working. Thanks

why does posting to facebook page yield "user hasn't authorized the application"

I have read the fb docs and written code to publish a message to a facebook "page", however I am getting an error that I don't expect to see:
(#200) The user hasn't authorized the application to perform this action
Here's what I've done:
I set up a facebook application, which provides my APP_ID and
APP_SECRET.
I set up a test facebook "page". Let us refer to its fb id as PAGE_ID.
Used OAuth to get a USER_ACCESS_TOKEN with scope "publish_actions,manage_pages" for the user. I accepted the permissions requested by my app when redirected to the facebook auth page.
I did a GET on https://graph.facebook.com/me/accounts using the USER_ACCESS_TOKEN, and I get back a list of pages I administrate, including the one I want to post to.
This block of data for my page looks like:
{
"data": [
{
"category": "Community",
"name": "My Generic Test Page",
"access_token": PAGE_ACCESS_TOKEN,
"id": PAGE_ID,
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"CREATE_CONTENT",
"MODERATE_CONTENT",
"CREATE_ADS",
"BASIC_ADMIN"
]
},
....
]
}
Then I use the PAGE_ACCESS_TOKEN to post a message to the page:
I did a POST on https://graph.facebook.com/PAGE_ID/feed with a field message equal to This is a test post.
Facebook returns:
{
"error": {
"message": "(#200) The user hasn't authorized the application to perform this action",
"type": "OAuthException",
"code": 200
}
}
Using the token debugger, I can confirm that my PAGE_ACCESS_TOKEN is valid, and has scopes: manage_pages and publish_actions.
Where am I missing authorizing the application? Do I need additional scopes? Did I miss clicking something on the facebook authorization screen? Is there a setting on the app I am missing? After days of debugging this, I must be blind to the problem. :-|
You should add permission called status_update, for example
https://www.facebook.com/dialog/permissions.request?_path=permissions.request&app_id=145634995501895&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html%3Fdisplay%3Dpage&response_type=token&fbconnect=1&perms=status_update&from_login=1&m_sess=1&rcount=1
and i'm able post to page i liked with the access token i get just now:
If you want to post as the admin of the page, you're require both manage_pages and status_update permissions, for example
https://www.facebook.com/dialog/permissions.request?_path=permissions.request&app_id=145634995501895&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html%3Fdisplay%3Dpage&response_type=token&fbconnect=1&perms=manage_pages%2Cstatus_update&from_login=1&m_sess=1&rcount=1
Cheers
status_update is not used anymore. To publish on pages, I had to use both manage_pages and publish_pages.
Well, this seems to be a common mistake that most of us make while trying to do an activity in social netwroks. Before trying to put up an open graph action,You need to set the permissions in your initial authorization request . By default you only gain 'read-only' access to their basic information.
Settintg up permisson at teh time of authetication is a must for Facebook and LinkedIn APIs..
See the public_actions section in Facebook open graph permissions here and make relevant changes in the authorization code , and get your issue solved.
I found the best way to get a valid token and check permissions was via the Graph API Explorer BUT while Facebook's documentation is extensive it is not always the easiest to follow.
In the explorer you have to look at both:
The Application Currently at the top and quite subtle, I missed this for ages.
Get Token Dropdown What you click to get a Token, when you click the arrow you can choose pages and other items you have access to for selecting a token for.