With the new deprecated offline_access method, how can one have a token that survives logouts?
Basically, I made a plugin that allows WordPress users to publish their posts to Facebook. So when a user makes a post, it auto-publishes.
In testing with the new lack-of-offline_access, it appears that if the user logs out of Facebook, this breaks the connection on the site by invalidating the saved access token.
How can I detect that and refresh the token? Does the user need to go back and do it manually? Or can I properly automate this?
Seems to me like Facebook hasn't fully thought this one through here.
...it appears that if the user logs out of Facebook...How can I detect that and refresh the token?
From: https://developers.facebook.com/docs/offline-access-deprecation/
Handling expired tokens, user password changes, uninstalled apps, and user logout
Regardless if your app requested the offline_access permission, apps
should gracefully handle an expired access tokens in situations where
a user changes their password, deauthorizes an app, or logs out. More
information on these cases including a simple code solution that leads
to a uniform user experience can be found in this blog post.
This is what you will get if the user logs out of Facebook. From a blog post from May 2011: https://developers.facebook.com/blog/post/500/
{
"error": {
"type":"OAuthException","message":"Error validating
access token: The session is invalid because the
user logged out."
}
}
EDIT
Otto says in comments:
You keep saying "your app" but you need to understand that I don't
have an App. The user is creating their own app for their own site.
It's their app, and having it suddenly unable to do what they want it
to do is kinda crap. This is why this feature isn't fully thought out.
Basically, you're saying that nobody with a website can ever log out
of Facebook or their website will stop being able to publish to
Facebook. Not a good design.
Dmcs replies:
If it's not your app, what do you can how they manage their app.
Stackoverflow is not a place for "what-if" questions.
I'm voting to close this question based on this what-if, and that the answer cannot be answered with facts and that the question would lead to debate. Stackoverflow is not a place for debate.
Related
I've come on to help a company out at the last minute after a developer bailed, and I'm left with some annoying quirks. I'm also very green when it comes to Facebook API. I don't have all the history, but here are the facts as I know them:
I've got a Facebook application that is used by a single Facebook account. This Facebook application reads public content of various pages (pages of clients, to be more specific) on Facebook (specifically follower and like counts). Periodically on a web server, we get these numbers and update our records for said clients.
Now, this application has executed fine for months. For security reasons, we changed the password for the Facebook account associated with this Facebook app. After recreating the access token, I started getting the following error:
To use 'Page Public Content Access', your use of this endpoint must be reviewed and approved by Facebook. To submit this 'Page Public Content Access' feature for review please read our documentation on reviewable features: https://developers.facebook.com/docs/apps/review.
My question is, why now? Why did a password reset cause this? Was this app originally grandfathered into not needing to be approved, and now that a password has been reset the app needs to be reviewed? In looking at the app's permissions it does seem it wasn't approved for this feature.
The reason I'm asking is if there's some other reason why this restriction was suddenly added, I'd like to know. Perhaps it's only applicable for certain scenarios and by updating the access token I inadvertently requested some feature the previous app never did?
Thanks.
There is no way to access public pages you do not own without getting "Page Public Content Access" approved now, this was changed a while ago already. So you are probably right, it may have worked only because of the old Token.
There are two ways to solve this:
Get Page Public Content Access approved by Facebook
Use a Page Token for all the Pages - you can only get it by having a role in the Page
My app integrates Facebook login with the following permissions :user_education_history and user_work_history. The app was working just fine until today morning when I attempt to login I get the following error:
invalid scopes: user_education_history, user_work_history. This message is only shown to developers other app users will ignore these permissions if present.
I went through the docs and I discovered that they were deprecated on the 4th of this month but I cannot seem to find the new permissions for the education and the work history ... any help ?
Facebook is removing access to a lot of things as a result of recent negative press surrounding data mining of their users. In almost all cases the information is simply no longer available, there is no alternative method to access it.
More information is available in the Facebook developer blog:
https://developers.facebook.com/blog/post/2018/04/04/facebook-api-platform-product-changes/
https://developers.facebook.com/blog/post/2018/04/24/new-facebook-platform-product-changes-policy-updates
Note that the message you mention is only shown to Facebook accounts with developer credentials. Regular Facebook users don't see this message and the Facebook API simply ignores requests for scopes which are no longer allowed. If the data being requested are optional in the context of the app, you should create a test Facebook account and see how it behaves when requesting the data doesn't return anything (or causes unexpected errors).
I am writing an app which is basically a service that posts media release news to various social networks including Facebook. I understand the usage of app tokens vs. user tokens vs. page tokens through the Graph API, but what I don't understand is why it requires a user token for an app to post to the app's page. User administrators will change over the lifetime of an app, it makes far more sense that an app would automatically have the necessary permissions to post to its own page's wall. This would also cut down on all the handshaking through the Graph API that seems to be required to get things done.
So, in short, why do Facebook App not have direct posting permission to their App Pages?
Because every post has a user associated with it – the user who created the post.
I've been digging through all docs I can find, but I cannot seem to verify this..
When I'm doing app authorization I'm asking for publish_stream from my visitor.
From to FB docs (http://developers.facebook.com/docs/reference/api/permissions/):
Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user- initiated sharing model.
It very explicitly states that I'm able to post at ANY time. But, a regular user access token expires after a certain time. So that won't be usable to post.
However, an APPLICATION access token can be retrieved at any time, without any user interaction. And when I've tested, I can successfully publish to a users feed (yes on their feed, not my applications feed) using the app access token.
I haven't waited 2+ hours for the initially obtained User token to expire though, but even if the user session was logged out, I was still able to post using the app token.
So, this is what I want, right? Yes!
But this is not documented anywhere, so my question is:
Is this an allowed/recommended approach? Will I run into any problems around this?
Thank you
this is the right way to do it, so you'll not run into any problems etc.
Just use the App access_token to publish on you app users walls.
Greetings,
Fredyy
I need to make POSTs to facebook page timeline (not auto posts, but when a user on an enterprise application submits a form). Note that a user should bot be logged in on facebook!
I've searched a lot and seems i should use graph api to do this... but, it's possible to achieve this without creating a facebook app?
I don't wish any user have this app... i just need to make POSTs to a facebook page that i own. So, it's not a public app.
I've made some tests with graph api explorer, after creating an app, and i'm trying to POST and always get error "An active access token must be used to query information about the current user.".
So, i'm using the correct access token (app access token in this case)... how can i test this? I should have my app submitted to be reviewed already? I just want to make some tests, to see if this actually works as i need to... don't wish to publish app now.
Could someone point me to the right direction?
Thanks!
An App Token is the wrong Token to post to a Page. You would need to use a Page Token for that. At least if you want to post "as Page". If you want to post "as User", you have to use a User Token. Everything you need to know is in the docs: https://developers.facebook.com/docs/graph-api/reference/v2.5/page/feed#Creating
More information about Tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/