I'm building a web application and I'm using OAuth to provide Facebook authentication. I've successfully generated an access_token and each time the user logs out/back in, I match their access_token to find their account. This works very well.
In addition, I'm building a Windows Phone 7 companion app. I've got the same process for authentication, using the Facebook SDK, but the access_token that is returned is different. This means I cannot match the account.
Since the logout/login to my web application appears to generate the same access_token repeatedly, I'm confused as to why the mobile app generates a different access token.
Can anyone tell me if the behaviour I'm expecting is correct? I've scoured the Facebook documentation, but can't find anything relevant. Maybe OAuth isn't the correct thing to do here.
Each time I logged in, the code would return a different access_code value. I needed to add a new field called "response_type" with a value of "code". This then redirected me to the login page and responded with the correct token, which I then exchanged for an access code.
To generate the URL, this was the code:
Facebook.FacebookOAuthClient client = new Facebook.FacebookOAuthClient();
client.AppId = "285539721457932";
client.AppSecret = "65233641cf71e6fa9fef5ecd7d802ebf";
client.RedirectUri = new Uri("http://www.imaybelate.com/Account/FacebookCallback");
url = client.GetLoginUrl(new Dictionary<string, object>()
{
{ "display", "wap" },
{ "response_type", "code" },
{ "permissions","offline_access"}
}).ToString();
Related
I'm building a manual login flow for my App which is integrating some facebook functionality.
I need to check when the current access_token of the user will expire.
The API documentary says I should do this call:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect} &access_token={app-token-or-admin-token}
So I did this in C#:
Uri inspectAccessTokenUri = new Uri("http://graph.facebook.com/debug_token?input_token="+access_token+"&"); //IDK which value should have the last parameter
HttpWebRequest checkToken = (HttpWebRequest)WebRequest.Create(inspectAccessTokenUri);
var response = await checkToken.GetResponseAsync();
Stream stream = response.GetResponseStream();
StreamReader reader = new StreamReader(stream);
string data = reader.ReadToEnd();
Debug.WriteLine(data);
The last parameter should be the app-token:
BUT: Of course I looked up how to get the app-token and facebook says:
Note that because this request uses your app secret, it must never be
made in client-side code or in an app binary that could be decompiled.
It is important that your app secret is never shared with anyone.
Therefore, this API call should only be made using server-side code.
(Facebook Graph API Documentation 1.1.16)
So my question: Can I check the token without the app-token or hardcoding the app-secret?
App secret is usually used by the server-side app, we don't use it in our UWP app, it could be decompiled.
Read the official doc about FB Graph Debug-Token, this can only be used when you debug your app, for example if you want to check the metadata about a given access token, after you publish your app, your code will not relay on it.
In an UWP app, we use WebAuthenticationBroker class to connect to OAuth providers such as Facebook, Flickr, Google, and Twitter. Maintenance is need during using OAuth connections. For example, expires information is included in the access token, when we use OAuth protocol for authentication and authorization, we need to refresh the access token after it expired.
Due to these conditions, you may reconsider what you can do in an UWP app and which API you should choose.
If the app-token is expired you will get a facebook response error. And you can catch this exception to deal with the situation you want. In this way you don't need to make a request with your app secret.
You can also use fb-uwp sdk that contains AccessTokenData for authenticated users
I am trying to post to my own facebook wall. So I created an "app" in my
personal facebook page, and got the app_id, app_secret, etc.
I then did this code:
#oauth = Koala::Facebook::OAuth.new(app_id, app_secret, callback_url)
#token = #oauth.get_app_access_token
#graph = Koala::Facebook::API.new(#token)
foo = #graph.get_object('me')
However, I get this error:
An active access token must be used to query information about
the current user. [HTTP 400]
(Koala::Facebook::AuthenticationError)
The token is valid, I checked. I need to post to my OWN wall, not a
different user's. From what I've read in the documentation, I need an "app
access key", not a "user access key" to do this. I am somewhat new to
the facebook api list, so I think I'm missing something very basic.
You can use an app token instead of a user token to post to a wall as long as the user already granted the proper permissions to your application.
That is, in timeline
User grants app access to post with publish_actions
User access token supplied by Graph Login Flow
At this point, you can either use the user access token or application access token
In addition,
foo = #graph.get_object('me')
is not a POST request. It says, get the object from the graph named me. Further me will not resolve to anything if you are using an application token because there is no way for the application to tell which "me" in all the users in the app you are referring to. Thus you need to refer to the app scoped id for the user.
e.g
foo = #graph.get_object('4')
Where 4 is a numerical app scoped ID (4 will not work in your case you need to figure out the correct ID for your application). The correct call in koala will be something like
foo = #graph.put_connections("4", "feed", :message => "I am writing on my wall!")
My problem was that the user (in this case myself) has to allow access to my app to post to my wall.
The full OAuth process is described well at http://developers.facebook.com/docs/authentication/
But specifically, I need to get a URL that I have to visit and then say "yes" to the authnetication question. The code is here:
#oauth = Koala::Facebook::OAuth.new(app_id, app_secret, callback_url)
#oauth.url_for_oauth_code(:permissions => "publish_actions")
The URL will look something like this:
https://www.facebook.com/dialog/oauth?
client_id={app_id}&
redirect_uri={redirect-uri}&scope=publish_actions
Note, the URL has to specify what permissions you want to request from the user (in this case, permission to post to the wall). This permission request is specified under the "scope" variable. Note some version of the facebook api allow posting through the "publish_stream" scope and other versions require the "publish_actions" scope. More information about the permissions available under scope variable is available here: https://developers.facebook.com/docs/facebook-login/permissions/v2.0
When you visit the URL that is generated from the above statement, facebook will give you a message asking if that particular app has permission to post to your wall. You, of course, say "yes". After that, your facebook app can post to the facebook wall using the "app access token"
After that, it's easy to post to the wall with your app access token. The code that works for me is:
#oauth = Koala::Facebook::OAuth.new(app_id, app_secret, callback_url)
#app_access_token = #oauth.get_app_access_token
#graph = Koala::Facebook::API.new(#app_access_token)
foo = #graph.put_connections(facebook_user_id, "feed", :message => "Test message")
I am using oauth.io to handle authentication in an Android app. I login using the service and then pass the access token to the server. As part of the server-side verification, I make a call to https://graph.facebook.com/debug_token?input_token={user access token}&access_token={app token}. I was receiving a response with the error message "(#100) The App_id in the input_token did not match the Viewing App".
I took this to mean that the app that generated the access token was not the same as the app that owns the app token I was sending in the request. Upon further inspection, I noticed that when I debugged the token with Facebook's tool (https://developers.facebook.com/tools/debug/accesstoken) I was seeing a different app id that belonged to oauth.io itself instead of my app. Since the app token is based on the app id and app secret, it obviously would not be correct if it was expecting oauth.io's app token.
Is there any way to continue using the debug_token endpoint through Facebook with a token generated by oauth.io?
Sorry this is a bit late - but it may still help you :) I had the same issue. In my perl code, I just did:
use LWP::Simple;
my $check_session_first = LWP::Simple::get("https://graph.facebook.com/me?access_token=$in->{token}");
if (!$check_session_first) {
print $IN->header;
print Links::SiteHTML::display('error', { error => qq|Sorry, we couldn't log you in. |});
return;
}
Basically, if $check_session_first is empty, then it means the session isn't valid. If its valid, it'll return a JSON object (which in my case, I process using the "JSON" perl module)
I'm trying to post a score from my server.
I have my app set up as a game.
I've got my app access token.
I'm POSTing to https://graph.facebook.com/USER_ID/scores
I have authorized and given publish_stream and publish_actions permissions to my app for the USER_ID (which is me).
However, an error is telling me that I need a user access token for that action, which I don't as Facebook states here: https://developers.facebook.com/docs/score/
Create or update a score for a user
You can post a score or a user by issuing an HTTP POST request to
/USER_ID/scores with the app access_token as long as you have the
publish_actions permission.
I've seen a similar question but it was unanswered: Facebook Graph API Explorer won't POST scores (they've ended up creating a new app, which is not a real solution)
To verify that it's not me who is incorrectly using the API, I went to Graph API explorer and tried it also there with the same access token, no luck:
Funny, that if I follow what it says and try the same with my user access token, it then says: This method must be called with an app access_token.
Is there something that I'm missing or is there a bug with the Graph API?
Thanks,
Can.
It looks like you have everything correct, but there's one relatively little-known case which will produce that error message.
Check the 'App Type' field in the Advanced Settings:
If this is set to 'Native/Desktop' instead of 'Web' in the Advanced settings, it's assumed that your app's binary/native distribution contains the app secret.
In this configuration, API calls made with the app access token are untrusted, effectively the token is completely ignored.
Change the app settings back to 'Web' and you should be able to post or delete Scores and/or Achievements with the App Access Token
If this is the issue, you can quickly verify if with a call to
https://graph.facebook.com/app?fields=migrations&access_token=[APP ACCESS TOKEN HERE]
In 'Web' mode, the response contains the migration settings for the app, something like:
{
"migrations": {
"secure_stream_urls": false,
"expiring_offline_access_tokens": false,
"requires_login_secret": false,
//etc
}
In 'Native/Desktop' mode, the app access token is untrusted, so you can't access the app's private data, and the response is:
{
"error": {
"message": "An unknown error has occurred.",
"type": "OAuthException",
"code": 1
}
}
I have been requested by a client to pull the latest posts from their LinkedIn group to one of our website pages.
I am developing using ColdFusion 9 and have been researching this for quite a few days now and decided to post my query here in the hopes that someone will be able to help me out.
I can get to the point where I have a requestToken. My understanding is that I now need to sign the request token to get the accessToken. My problem is that I need to do this behind-the-scenes. However, all the examples that I can find are redirecting the front-end user to the authorisation url to allow the user to authenticate, but I don't want the user to authenticate, I want to authenticate server-side instead.
I am trying to use the Scribe Java wrapper library. Below is the code that I have so far which gets the requestToken (as well as the authorisation url). I need someone to point me in the right direction to sign the token on the server-side code so that I can make the necessary calls to consume the Groups API (e.g. http://api.linkedin.com/v1/groups/{id}/posts?count=5&start=1)
<cfscript>
var l = {};
//The LinkedIn public and private keys for application
l.oauth_consumer_key = "[My public key]";
l.oauth_sign_key = "[My secret key]";
l.serviceBuilder = CreateObject("java","org.scribe.builder.ServiceBuilder");
l.LinkedInApiClass = CreateObject("java", "org.scribe.builder.api.LinkedInApi").getClass();
l.service = l.serviceBuilder.provider(l.LinkedInApiClass).apiKey(l.oauth_consumer_key).apiSecret(l.oauth_sign_key).callback("[My callback url]").build();
l.requestToken = l.service.getRequestToken();
l.authUrl = l.service.getAuthorizationUrl(l.requestToken);
// I NEED TO DEFINE WHAT TO DO AT THIS POINT TO SIGN THE REQUEST SERVER SIDE
...
...
</cfscript>
Kirsten is technically correct - Linked In Api's require user authentication. It's annoying because you need to authenticate to even retrieve group posts.
However there are ways round it.
With scribe you can manually create an access token. So what I would do is create a dummy user account on Linked In, authenticate that user as normal and save the returned signed credentials on your database, which you can then use to create the token:
var accessToken = createObject("java", "org.scribe.model.Token").init(
"singedTokenStringReturnBackFromLinkedIn",
"singedSecretStringReturnBackFromLinkedIn",
"oauth_token=singedTokenStringReturnBackFromLinkedIn&oauth_token_secret=singedSecretStringReturnBackFromLinkedIn&oauth_expires_in=0&oauth_authorization_expires_in=0"
);
You can then skip the authenticate part and call the api allowing you to display the group posts without the current user having to sign in:
var req = createObject("java", "org.scribe.model.OAuthRequest").init(
createObject("java", "org.scribe.model.Verb").GET,
"http://api.linkedin.com/v1/groups/123456/posts"
);
oAuthService.signRequest(accessToken, req);
I have no idea if this would violate Linked In's T&C though.
OAuth authentication is designed for the user to give their permission to the application via a login on the site (in this case LinkedIn). It is not designed for you to automatically have the user grant permission for your application.
In order to get an access token to use the LinkedIn APIs, you have to include the part of the authentication flow that sends the user to LinkedIn to give your application permission to act on their behalf, at which point you can retrieve a verifier token either via PIN (which the user inputs) or via a callback to your application.
In short, there is no way to "authenticate server-side" without having the user interact with the LinkedIn site.