Is it possible to post on FB users' wall after he likes my FB page with application (or site connected to FB application)? I mean without permissions request. Do I get access token after like at all?
You won't obtain an access token after a use like something on your site.
You would need to ask for permissions to obtain any info about the user, and if you want to post to the wall of the user automatically (which by the way would be considered spam and trigger the deactivation of your app).
An option would be to put a callback function when the user click the button like (using FB.Event.subscribe: http://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/), and trigger a publication popup (FB.ui, method: 'feed': https://developers.facebook.com/docs/reference/dialogs/feed/)
Related
I am hitting a wall while developing seamless integration of a Facebook page with my bot.
Essentially I want to achieve same integration than Chatfuel or Manychat have, where being logged in with your Facebook account lets you to just choose what page you are connecting to them and you are good to go.
The problem I am facing is generating the proper token in order to bind the selected page to my app (bot). As per Facebook documentation:
When you create a subscribed_apps edge, the page-id you use in endpoint must match the page ID of the page access token used in the API call. The app that the access token is for is installed for the page.
Given the call has no other parameter than the access token, this access token has to be enough for Facebook to:
Authorize the action on the page.
Identify what app is being subscribed to the page.
This is confirmed while using the Facebook Graph API Explorer, where one selects the page and the app to bind and a proper access token is generated:
This token properly works using cURL in the terminal:
$ curl -X POST 'https://graph.facebook.com/v3.0/<MY_APP_ID_HERE>/subscribed_apps?access_token=<TOKEN_PASTED_FROM_GRAPH_API_EXPLORER>'
{"success":true}
With the Facebook Access token debugger (info icon on the left of the access token, then open in Access token tool), it is confirmed that the token knows about both the page and the app that have to be connected.
The question is, how are these page-app related token programmatically produced? I can't seem to find the proper API call in Facebook documentation and it is by all means possible, as Chatfuel and Manychat are doing this.
Thanks in advance for your support Lars Schwarz and community!
Adding some detail to Alex's answer, for it to be more complete.
When subscribing an app to a page, Facebook needs to:
Know what app you are talking about.
Know what page you are talking about.
Know that you have permissions on that page to subscribe an app.
How does Facebook know it all?
1 comes from the fact that Facebook login happens in the context of a page, actually, the Javascript code for Facebook contains your appId:
js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0&appId=<YOUR_APP_ID_IS_HERE>&autoLogAppEvents=1';
2 Comes from the page_id in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
3 Comes from the access token, obtained in the context of an APP through Facebook login, that is passed as parameter in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
To do this, you need to put FB Login on your site/customer portal and request pages_messaging and manage_pages permissions. The person that logs in must be a Page Admin.
Once your app has been granted that permission for the page, you can generate a page access token as described here:
https://developers.facebook.com/docs/pages/access-tokens
All mutual friends request made from my app server (node) (also tried the Facebook API explorer) suddenly started returning an empty array for the data field. I confirmed and validated my access token and appsecret_proof on the API explorer. Do you know what has changed or what the request below is missing?
Note: both users use the app and have granted user_friends permission.
I am using v2.12
request
{
url: 'https://graph.facebook.com/v2.12/{user-facebookid}?fields=context.fields(all_mutual_friends.limit(5000))',
qs: {access_token: 'XXXXX'
,
appsecret_proof: crypto.createHmac('sha256', clientSecret).update(accessToken).digest('hex')
}
Yep. Facebook has taken down the Graph API for page access tokens. The only way to retrieve data (or was a week or so ago), was a temporary user token that lasts about 2 hours. It's totally broken my band's schedule page. I've been through every avenue and even spoke with a facebook ad team employee on the phone that was aware of it. She seemed to empathize but had no solution for me. I would count on it being down for a while.
I have finally figured out a work around for this. On your fb application, you have to disable the secret key requirement. This can be found under the advance settings of your fb application console. It's called "
Require App Secret".
Once you generate a fb PAGE access token, you get a fb page token, and then extend it.
here is the token debugger:
https://developers.facebook.com/tools/explorer/
You can extend the access token programmatically as explained here:
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
AND
https://developers.facebook.com/docs/facebook-login/access-tokens/#pagetokens
There is also an extend tool in the access token debugger.
Looking for alternatives on how to use the events API since the Facebook changes.
https://developers.facebook.com/blog/post/2018/04/04/facebook-api-platform-product-changes/
Our app currently uses /search endpoint, pulling events based on a /location (miles radius). Is this totally revoked or is there a way to work around?
Thanks.
You can no longer use the /search endpoint with the following object types: event, group, page, user
Please read: https://developers.facebook.com/docs/graph-api/changelog/breaking-changes#search-4-4
Currently to access events you can use a user endpoint such as ‘/me/events’ or ‘/me/events/not-replied’ using an access token valid for that user. you can get the events that the user was invited to or is going/interested
You can access an event endpoint /{event-id} with an user access token if that user has been invited or is going/attending or is the creator of that event.
I believe its possible (but didn’t test it yet) to access to a specific page events endpoint, such as /{page_id}/events with a page access_token such as manage_pages, if Facebook already approved that permission and the page owner accepted the permission.
i'm working with the facebook sdk for php and want the users to sit on my own database but still to get permissions of them.
my very basic use of the
i want to register users to my site via facebook, but i still want to be able to post to thier wall. i thought about only using the facebook login method but then i have no way to ask my customers (Via registration) what is their phone number and the phone number is the most important part i need from the people who register.
i tried to add the scope params to my <fb:registration tag but it seems to ignore it. when i only use the login method via <fb:login-button the permissions issue seems to work.
this is my exact flow:
first, i call the fb:login-button to determine if the client is already reistered:
<fb:login-button scope="publish_stream,user_checkins,email" registration-url="/register" /></fb:login-button>
then, on the registration page i have this code:
<fb:registration
fields='[{"name":"name"},{"name":"gender"},{"name":"email"},{"name":"birthday"},{"name":"location"},{"name":"phone2","description":"mobile phone","type":"text"}]'
redirect-uri="XXXXXX"
fb_only="true"
scope="read_stream,publish_stream"
width="530">
when the user comes back from facebook i use this code:
require_once('facebook-sdk/src/facebook.php');
$facebook = new Facebook(array( 'appId' => $GLOBALS['facebookAppID'], 'secret' => $GLOBALS['facebookAppSecret']));
$customerArray = $facebook->getSignedRequest();
that's works great and create the customer record on my database. but - it does not give the permission i need to post on my user wall.
You can't ask for user permissions in registration using this plugin, but you can do a work around asking for permissions before showing the form. You can make a call to FB.login popup and after the user gives you permissions in the callback function you can show the registration form (which could be hidden while the user accept the permissions).
I'm playing around with Facebook Connect, trying to use Facebook as the means or authentication on my site. Currently my workflow looks something like this:
Go to URL
Server checks cookies for AccessToken
If AccessToken exists, automatically fill in user's name/profile picture in comment box, and leave AccessToken in hidden input
send page down to client
on submit, verify access token (which was submitted with the rest of the form) is a valid access token for a real person. If so, add comment to Database
refresh page to display new data
if no access token, replace user's name/profile picture with <fb:login-button>, along with the required <script>s.
send page down to client
When user authorizes page/logs into facebook, refresh page
(go back to top, except this time the access token should exist)
So I have a few questions:
Is this secure? I was thinking of ways i would be able to do without the double authentication with Facebook (checking once on page-generation and checking again on comment-submission), and I could not figure any other way short of maintaining my own session-state with each client. Is that worth doing?
Does the access token expire when i log out of Facebook? I'm thinking it should, but it seems I can continue to use the same access token to grab data (i.e. name, url, etc.) after I manually go to Facebook and log myself out. Is it because I'm only asking for public information, and only more intrusive permissions expire on logout?
Given that each person who wants to do something has to provide a unique token from Facebook, this should have the side effect of blocking CSRF, since every action can be traced to a valid Facebook account. Is that right?
Why don't you just use the Facebook Javascript SDK to detect if they're currently logged into Facebook? This will also make the access token available in Javascript so you can make client-side calls to the API.
You can access the same access token server side via the session cookie set by Facebook also.
I can't answer all of your questions but I can tell you that having the access token in a hidden field on your page is risky from a policy perspective, especially if your page can be read by any third-party code such as Google Analytics or AdSense. Facebook will nail you for this as it is leaking user identifying data to third parties. The Facebook userid is in the access token in plain text. Facebook has automated processes that scan for this stuff and will auto-ban your app if it is leaking userids to third parties.