Hello i have made a apps on facebook and im asking the user for permission to post on there wall using
<script type="text/javascript">
FB.init({
appId : 'my apps code is here',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
</script>
The user clicks yes but how do i grab there offline token ? so i can post two there wall every day ( its a horoscopes apps so need to post there horoscopes every day to there apps )
I need to store there token in the db so i can use it every day.
i have got the facebook.php which grabs there token but donno which bit grabs it
and if i mess around with things it will keep adding the token on each refresh.... i just wanna add there token to my db and then if they refresh it don't add it again...
For posting on the user wall with no confirmation from the user himself, you need to obtain the publish_stream permission. However, FB policy says you better should prompt ot make aware the user for the posting you're about to make, no matter he's given you permission for this.
Once you have this permission obtained, you can post on the user wall with your app token. This token may be retrieved like so:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=client_credentials
Obtaining the user token is fairly straight forward. You need to use FB.login to make sure the user is authenticated. During this process you'll want to add the offline_access permission to make sure a long lasting token is issued.
You can get the token from the login response like.
FB.login(function(response){ alert( response.authResponse.access_token ); },{scope: 'offline_access,publish_stream'} );
As noted by Martin Asenov you should ensure you've had the user make an informed consent in how you're going to be using this token. Not doing so is an easy way to get your app banned.
Related
I have an application, that runs on server. On that server is background task, that will post status update on few social networks (Facebook, Twitter, G+). It must be completely server-side.
In Twitter API I'm able to use OAuth header to authorize API request. OAuth HTTP header uses consumer key, consumer secret, access token and access token secret to create the header. With this I'm able to post/update/delete tweets with no user interaction.
How can I do this for Facebook? I found a solution to obtain a long-lived access_token (2 months), but we don't want to regenerate access_token every 60 days. We want to use it for manage our Facebook page - post status updates, but completely server-side.
Am I able to do this for Facebook? Thanks for answers.
PS: I searched stackoverflow hundred-times but with no solution for my problem.
Thanks.
It is not possible for User Access Tokens (they can only be extended to 60 days and need to be refreshed by the user after that), but for posting to a Page you should use a Page Token anyway. An Extended Page Token is valid forever.
Here are some Links to help you get that Extended Page Token:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
http://www.devils-heaven.com/extended-page-access-tokens-curl/
A Page Token will post "as Page" btw, but that´s probably what you want. And auto-posting on user profiles is not really allowed anyway, every message has to be 100% user generated and every posting should get authorized by the user.
Pay attention to Access Tokens Expiration & Extentions.
The Page Access Token could be a good solution to only server side calls for testing and data analysis purposes.
Take your User Access Token from Graph API Tool
Extend your User Access Token
Call https://graph.facebook.com/v2.11/me/accounts with your user access token extended
*all calls are GET and this procedure does not use APP Access Token.
Beginner here, and I've been getting lost in the Facebook developer docs and Google for hours. I'm sure this is a simple question, but I just need some direction.
What I'm trying to do: query latest post of a page owner from a public Facebook page with JavaScript and parse it to display within my own HTML (can't use a Social Plugin - I need custom control over HTML/CSS).
What I've got working so far:
var token = '<my_token>';
var query = 'fields=posts.limit(1)';
var request = 'https://graph.facebook.com/[mypage]?' + query + '&access_token=' + token;
$.getJSON(request, function(response) {
alert(response.posts.data[0].message);
});
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why? It's a public Facebook page, and I only want to query the page owner's latest comment. Do I really need to create a Facebook App and login via PHP to just to access this public information?
I'm doing the exact same thing with a Twitter feed and all I had to do was $.getJSON http://api.twitter.com/1/statuses/user_timeline/.json, completely in JavaScript.
It seems getting similar information from Facebook is much more difficult, but perhaps I'm going about it the wrong way?
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why?
Because that’s what user access tokens do.
Do I really need to create a Facebook App and login via PHP to just to access this public information?
For pages that are restricted in any way (based on age, country or for alcohol related content) you have to use a user access token, because that’s the only way Facebook can figure out whether you’re actually allowed to see the content or not.
If it’s your own page, then you could generate a page access token – those don’t expire by default, if you use a long-lived user access token to get them.
But you don’t want to expose that kind of token in client-side JavaScript, because everyone visiting your site could steal it from there and act on behalf of your page then.
I'm playing around with Facebook Connect, trying to use Facebook as the means or authentication on my site. Currently my workflow looks something like this:
Go to URL
Server checks cookies for AccessToken
If AccessToken exists, automatically fill in user's name/profile picture in comment box, and leave AccessToken in hidden input
send page down to client
on submit, verify access token (which was submitted with the rest of the form) is a valid access token for a real person. If so, add comment to Database
refresh page to display new data
if no access token, replace user's name/profile picture with <fb:login-button>, along with the required <script>s.
send page down to client
When user authorizes page/logs into facebook, refresh page
(go back to top, except this time the access token should exist)
So I have a few questions:
Is this secure? I was thinking of ways i would be able to do without the double authentication with Facebook (checking once on page-generation and checking again on comment-submission), and I could not figure any other way short of maintaining my own session-state with each client. Is that worth doing?
Does the access token expire when i log out of Facebook? I'm thinking it should, but it seems I can continue to use the same access token to grab data (i.e. name, url, etc.) after I manually go to Facebook and log myself out. Is it because I'm only asking for public information, and only more intrusive permissions expire on logout?
Given that each person who wants to do something has to provide a unique token from Facebook, this should have the side effect of blocking CSRF, since every action can be traced to a valid Facebook account. Is that right?
Why don't you just use the Facebook Javascript SDK to detect if they're currently logged into Facebook? This will also make the access token available in Javascript so you can make client-side calls to the API.
You can access the same access token server side via the session cookie set by Facebook also.
I can't answer all of your questions but I can tell you that having the access token in a hidden field on your page is risky from a policy perspective, especially if your page can be read by any third-party code such as Google Analytics or AdSense. Facebook will nail you for this as it is leaking user identifying data to third parties. The Facebook userid is in the access token in plain text. Facebook has automated processes that scan for this stuff and will auto-ban your app if it is leaking userids to third parties.
I am posting to my facebook wall through my app using my user.
I gave to the app offline access but still, sometimes the accesstoken changes.
I would like to know if its possible to use Facebook API to get the accesstoken?
Right now, I used the example.php from the facebook sdk to login and took the accesstoken from there.
again, I dont want the application accesstoken. I want to user accesstoken of using the app.
Thanks.
There is App Login section in Authorization paragraph in https://developers.facebook.com/docs/reference/api/ .
Read it. You have to call it if you get invalid access token error in order to refresh the token. However, sometimes the token is invalid due to lack of permissions and not because the token is expired
I'm planning out adding Facebook integration to a web app I'm working on. For the most part, it's proceeding smoothly, but I am confused on the proper way to handle the OAuth token.
The sequence of events presented by Facebook here is:
Ask the user to authorize your application, which sends them to a Facebook window.
This will return an Authorization Code generated by Facebook
You then hit https://graph.facebook.com/oauth/access_token with your Authorization Code, which will give you a time-limited OAuth token.
Using the OAuth token, you can make requests to access the user's Facebook profile.
Facebook's documentation has the following to say about token expiration:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
When they say to re-run the steps above, what steps need to be re-run to get a new OAuth token? What data (Facebook UID, Authorization Code, OAuth token) does it make sense to save to my local database?
I would like to be able to have the user continue to interact with my site, and in response to certain user actions, I would like to be able to prompt to user if they want to post something to their Facebook wall.
The access token is time and session based and is unnecessary data to store and have no use after the user have closed the session.
The facebook uid is the only thing you need to identify the user.
Since the Facebook API sometimes is horrible slow you could store the username aswell.
But for identification, all you need is the uid.
The documentation that facebook provides has been updated since you asked this question. https://developers.facebook.com/docs/authentication/.