I'm using FB.ui({method: 'apprequests', ... }) to let users invite their friends to my java web app.
In the Facebook Requests Dialog documentation it says that I need to delete the request when the user has accepted the request:
When a user is directed to your application, by clicking a Request
from the application, the games dashboard, or from a Request
notification, you must delete the request after it has been accepted.
Requests are not automatically deleted once they have been clicked,
thus it is the developer’s responsibility to clear them once they have
been consumed.
http://developers.facebook.com/docs/reference/dialogs/requests/#deleting
When I try to do this with the RestFB Graph API Java client I get a permission error from facebook.
The code:
FacebookClient client = new DefaultFacebookClient(appAccessToken, new DefaultWebRequestor(), new DefaultJsonMapper());
client.deleteObject(String.format("%d_%d", requestId, facebookUserId));
The log says:
(com.restfb.DefaultWebRequestor) INFO: Executing a POST to
graph.facebook.com/XXX_XXX with parameters (sent in request body):
method=delete&access_token=XXX&format=json&locale=en_US
The error:
Facebook responded with HTTP status code 403 and response body:
{"error":{"message":"(#200) Permissions
error","type":"OAuthException"}}
I have tried both app access token and receiving user's access token, and I have scopes email and publish_actions. I read somewhere that I may need the publish_stream scope. I would rather not ask my users for that just to be able to delete requests, though? Or is it something else I'm doing wrong?
You don't need the publish_stream scope if you use the APP Token.
If you use the C# facebook SDK you can use this:
var fb = new FacebookClient(Config.FacebookAppId, Config.FacebookAppSecret);
var result = fb.Delete(string.Format(
"{0}_{1}?access_token={2}",
facebookRequestId,
facebookUserId,
fb.AccessToken
));
(See also: Facebook Deleting Requests)
Related
I am hitting a wall while developing seamless integration of a Facebook page with my bot.
Essentially I want to achieve same integration than Chatfuel or Manychat have, where being logged in with your Facebook account lets you to just choose what page you are connecting to them and you are good to go.
The problem I am facing is generating the proper token in order to bind the selected page to my app (bot). As per Facebook documentation:
When you create a subscribed_apps edge, the page-id you use in endpoint must match the page ID of the page access token used in the API call. The app that the access token is for is installed for the page.
Given the call has no other parameter than the access token, this access token has to be enough for Facebook to:
Authorize the action on the page.
Identify what app is being subscribed to the page.
This is confirmed while using the Facebook Graph API Explorer, where one selects the page and the app to bind and a proper access token is generated:
This token properly works using cURL in the terminal:
$ curl -X POST 'https://graph.facebook.com/v3.0/<MY_APP_ID_HERE>/subscribed_apps?access_token=<TOKEN_PASTED_FROM_GRAPH_API_EXPLORER>'
{"success":true}
With the Facebook Access token debugger (info icon on the left of the access token, then open in Access token tool), it is confirmed that the token knows about both the page and the app that have to be connected.
The question is, how are these page-app related token programmatically produced? I can't seem to find the proper API call in Facebook documentation and it is by all means possible, as Chatfuel and Manychat are doing this.
Thanks in advance for your support Lars Schwarz and community!
Adding some detail to Alex's answer, for it to be more complete.
When subscribing an app to a page, Facebook needs to:
Know what app you are talking about.
Know what page you are talking about.
Know that you have permissions on that page to subscribe an app.
How does Facebook know it all?
1 comes from the fact that Facebook login happens in the context of a page, actually, the Javascript code for Facebook contains your appId:
js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0&appId=<YOUR_APP_ID_IS_HERE>&autoLogAppEvents=1';
2 Comes from the page_id in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
3 Comes from the access token, obtained in the context of an APP through Facebook login, that is passed as parameter in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
To do this, you need to put FB Login on your site/customer portal and request pages_messaging and manage_pages permissions. The person that logs in must be a Page Admin.
Once your app has been granted that permission for the page, you can generate a page access token as described here:
https://developers.facebook.com/docs/pages/access-tokens
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
I would like to get basic user information from Facebook after the user has logged in.
I've looked at the documentation in How to: Work with authentication and under the "How to: Retrieve authenticated user information" section, it shows how to do it from the .NET backend code by using an HttpClient to make the call with the AccessToken:
var fbRequestUrl = "https://graph.facebook.com/me/feed?access_token="
+ credentials.AccessToken;
Since the mobile client has the accessToken that we get from MobileServices, can the client make the call directly to a Facebook endpoint, or does the client SDK provide us with any built-in functionality?
I've been following the Xamarin.Forms Sport project and the way they get the user information from Google is by hard-coding the Google endpoint and making a call to get the user info.
Note: Xamarin.Forms Sport uses Mobile Services, not Mobile App, so not sure if that makes any difference.
It sounds like you're doing the server-directed login: where you are making a call to your backend to do the login dance with Facebook. In this, your client application is making a GET call to .auth/login/facebook, which opens up a browser or the Web Authentication Broker where you enter your credentials. The end result is you will receive a Zumo access token (different from Facebook access token).
You cannot use the Zumo access token to access Facebook APIs by itself. In the "How To:" you linked, we show you how to use GetAppServiceIdentityAsync from the backend to get the Facebook access token. This is possible because you have stored your Facebook client ID via portal, which is available to the backend.
The advantage of doing auth like this was that you don't have to deploy your Facebook Client Id with your mobile apps. If you wanted to access the Facebook APIs from the client, though, you'll need to get the Facebook token to the client.
Few ways I can suggest:
Call .auth/me from your client. The response will give you a JSON object you can parse that should include the FB token associated with your Zumo token.
Write a custom API with [Authorize] attribute set that will perform GetAppServiceIdentityAsync and respond with the value of the facebook access token. You can then parse the response from your client. This is basically what .auth/me does, but you can write it to give back only your FB access token.
Use the Facebook .NET SDK http://facebooksdk.net/ to do client-directed login. You will get a Facebook token on your client, and then you can use our LoginAsync(Facebook, access_token) method to get a Zumo token so that your client can access both Facebook and your Mobile App backend. The disadvantage, as I mentioned before, is that you'll have to deploy your FB Client ID with your app.
I have a Facebook App and a Facebook place page.
I have linked the App to the page using http://www.facebook.com/add.php?api_key=251531424968346&pages=1&page=108505012565098
I can make post from a user with location as my Facebook place. I want to delete these posts programmatically using Facebook SDK DELETE method.
The code to delete is
function deletepost(responseid){
FB.api('/'+responseid, 'delete',
function(response){
if (response.error)
{
alert(response.error.message);
});
}
I tried setting resposeid as _ and
With this, i get an error "(#200) This post wasn't created by the application"
It is true that the post wasn't created by the application but being an owner of the page (and the app), can i not delete any post made on the page in any way?
You can only delete posts
Posted by your app, using the app access token or user access token from the user that posted them
On the timeline of a page you're administering, using the Page access token for that page.
It sounds like you're not doing either of those - the error message is likely correct
I am posting to my facebook wall through my app using my user.
I gave to the app offline access but still, sometimes the accesstoken changes.
I would like to know if its possible to use Facebook API to get the accesstoken?
Right now, I used the example.php from the facebook sdk to login and took the accesstoken from there.
again, I dont want the application accesstoken. I want to user accesstoken of using the app.
Thanks.
There is App Login section in Authorization paragraph in https://developers.facebook.com/docs/reference/api/ .
Read it. You have to call it if you get invalid access token error in order to refresh the token. However, sometimes the token is invalid due to lack of permissions and not because the token is expired