I've been digging through all docs I can find, but I cannot seem to verify this..
When I'm doing app authorization I'm asking for publish_stream from my visitor.
From to FB docs (http://developers.facebook.com/docs/reference/api/permissions/):
Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user- initiated sharing model.
It very explicitly states that I'm able to post at ANY time. But, a regular user access token expires after a certain time. So that won't be usable to post.
However, an APPLICATION access token can be retrieved at any time, without any user interaction. And when I've tested, I can successfully publish to a users feed (yes on their feed, not my applications feed) using the app access token.
I haven't waited 2+ hours for the initially obtained User token to expire though, but even if the user session was logged out, I was still able to post using the app token.
So, this is what I want, right? Yes!
But this is not documented anywhere, so my question is:
Is this an allowed/recommended approach? Will I run into any problems around this?
Thank you
this is the right way to do it, so you'll not run into any problems etc.
Just use the App access_token to publish on you app users walls.
Greetings,
Fredyy
Related
We have an app which could login via Facebook or Instagram. And we will pull some basic information of the user's from the site if you do so. We want to update all those basic informations at a certain period of time by the backend. It's not necessary for us to update informations while the user is using the app. I think update the basic information is just a test. The company might want to give some useful recommendations to the client for some commercial reasons. Any way, I checked that Facebook access token will live for 60 days,Instagram access token will not expire for now. May I refresh access token at backend without user involved?
There is no way to refresh the User Token automatically (on the server), it needs user interaction. Else, it would be pointless to implement a 60 days limit.
I'm currently toying with the Facebook Graph Api and have been able to get some interesting results, I would like to be able to post to one of my Facebook App users pages. They have authenticated the app and confirmed the ability for my app to be able to post on there wall. I know there is the can_post check using FQL, but I haven't seen any information on this using the Graph API. Is there a possible check to make so I can see if I have the ability to post on there wall?
can_post
https://developers.facebook.com/docs/reference/fql/user/
This settings is actually a setting of the timeline:
This setting only affects the viewers of the specific timeline and does not apply to the owner of the timeline.
can_post - bool - Whether or not the viewer can post to the user's Wall
Beyond this settings, by authenticating an application and giving it certain publishing permissions, the application, using it's per-user per-app access token will be able to perform actions on behalf the actual user. Actions will be attributed to the user even though it is the application that initiated and published these stories.
To answer what I assume is your underlying question - your application, given the appropriate permissions, will always be able able to publish a story to the users timeline. The act of giving an application any permissions is the same as allowing the application to act as you and access everything you would be able to access. This includes posting a story to your own timeline (even if no other user would be able to).
I am building an in-house application which would accumulate the information from several social networks at once. Possibly, the URL of the application will not be known or it will not be allowed anywhere outside localhost.
One of the information pieces I will be accumulating is FQL insights table information: https://developers.facebook.com/docs/reference/fql/insights/ . As you may notice, this information is private, so I just cannot fetch it anonymously.
The application itself is written in a "configure once and use forever" fashion, and possibly the person using the application will not be allowed to the Facebook login credentials at all.
My problem is the Facebook login. As I understand the login with "forever access" is now deprecated and Facebook does not allow API access the same way as Twitter does (creating the forever lasting key and forgetting about it). Question is:
Is there any way to overcome the fact that I need to ask the person for permissions every time I would like to fetch them? What can be the longest period between asking?
My current thoughts about it are:
Creating a dummy user for the 'manager' and giving him read-only
access to FB pages, therefore enabling him to log in to the account.
Then asking him for the permissions every (n) hours when I need them.
Automatic log in to the FB account given that we have the
login/password for the account and obtaining the API key myself.
Which is doable? Did anyone have any experience in doing this kind of things?
What can be the longest period between asking?
You can use Long-lived user access_token which is valid for 60 days.Use below FB call to get extended access token:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
You can check more details here:
https://developers.facebook.com/roadmap/offline-access-removal/
One more point which is worth to note here:
When a user change his password, deauthorizes an app their OAuth token get expired.
Hope this help !
I've been scouring the net for ages with this one, and I'm not sure if there is a solution at all, but thought I'd post and see if there's a response... thanks in advance!
Several of our customers (who we build websites for) have their Facebook feeds brought into their website (and their Twitter feeds). Before the removal of the offline_access permission, this was no problem. We'd set our app up, authenticate the account, get the access token and then we could bring in the live feed into their websites forever. However, now with the new system, there doesn't seem to be a way of doing this without human intervention.
Essentially, we have these websites bringing in the feeds from the relevant Facebook accounts, with the long access_token (60 day token). However, when this limit is reached, there is no "user" to re-authenticate the app, as its just the server that makes these requests. Is it a case of having to set reminders for all these accounts, and then every two months we (as the web agency) have to log in to all the accounts and get new access tokens to provide to the scripts so they can carry on working? Or is there an alternative which I am just not seeing?
Thanks again!
Neil.
There is no alternative that I know of. Once the token expires after 60 days, the user must re-authenticate.
No alternative way, user must login to provide you the new access token
https://developers.facebook.com/roadmap/offline-access-removal/
I have a number of PHP scripts that pull data from my Facebook profile.
I had set these up with an Access Token that I took from the Graph Explorer.
https://developers.facebook.com/tools/explorer/
I ensured that when generating the tokens, I asked for the offline_access extended permission.
These scripts worked fine for months, but over the last few days, I notice that whenever I logout of Facebook, the token becomes invalidated, and I have to log back in each time and get a new one.
My understanding was the an offline_access token survives a logout, but not a password change.
Has something changed in this regard?
I've done some more research on this.
FB are deprecating the offline_access permission. That means it will no longer be possible to obtain an access token that gives your app open-ended permission to query a user's data.
Instead, your app will have to test the validity of any existing token, and it that token has expired, you will be able to swap it for a new one. Previously, if you had an expired token, you had to send your user through the auth process again to get a new one, so this is actually a positive development.
See: https://developers.facebook.com/docs/offline-access-deprecation/
In my own particular example, where I was using a token obtained from the Graph Explorer in a PHP script that queried the Graph with cURL (ie independently of a user session on FB), I can't however do this.
The Graph Explorer is an app in its own right, and it seems that in the last few days it has switched on the deprecate_offline_access migration in its settings, which means existing offline_access tokens obtained via Graph Explorer will now expire on logout.
Also, I can't issue a request in my script to swap the token, as this requires the APP SECRET for the Graph Explorer app, which I don't have.
Therefore, existing offline_access tokens obtained as part of the standard auth process should continue to work, but offline_access tokens obtained via the Graph Explorer will not.
This effectively means that it is no longer possible to script interaction with the Graph where Extended Permissions are required. All such interaction will now have to occur within a user session.
I can see the logic in this, but its a bit of a spanner in the works for cron jobs etc.
I might suspect that with the change-over (while Facebook code is written to handle both old and new ways) that there might have been a bug introduces. If you can reproduce this issue, then it should be filed as a defect with Facebook at http://developers.facebook.com/bugs.
I've checked using a basic access token with a brand new app. I only asked for offline permissions. I checked the token in the linter and it says it was ok. I logged out of facebook then back in. Then rechecked the token. And sure enough it was invalidated. In my app settings I have deprecate offline_access set to Enabled.
For my next test, I set it to disabled and checked again. Sure enough Facebook invalidated that token.
For my next test, I checked with an app created a few years ago. It has the deprecate offline_access turned off. And sure enough it was able to keep the offine access token current and did not invalidate it at all.
I also tested with an app I created during last year's F8 conference, and it also behaved correctly (not invaliding the offline token) when I logged out of facebook.
So, I guess it might depend upon how long ago your app was created.