Up until this summer, I had a website (not my website) which was fetching it's responding fb page posts and was displaying it on a page.
I was doing it using the app-token, which now doesn't work since it now requires Page Public Content Access to get those data, which in turn requires it to be registered as an app, which is beyond the scope of this.
I tried creating a non-expiring user-access token, but they seem to expire after 3 months, no matter the "trick" I tried using.
Is there any suggestion of how I can get over it?
Maybe an automated api call that would refresh the token with no user interaction?
You can either use a Page Token (NOT a User Token) for the Page if you manage it - but it will expire. There is no way around that. OR you apply for Page Public Content Access so you can use an App Token.
Auto-refreshing would make the whole point of expiring Tokens pointless, you need user interaction for that.
So, I did it!
Now the how: I did it with the manage_pages access, not with Page Public Content.
I went back and forth a total of 5 times to get this to pass and a bit over a week.
First of all Page Public Content is only allowed by Facebook when you want to analyze data from other pages as well, so you better not mess with it.
What I had to do to get the request approved is specify on your application for requesting the access that there is no login, provide a copy of your code on the description and I also included a url where it was working with a user generated token through javascript, so they could review the code through a web debugger.
After that you get a manage_pages token which you can use to fetch your pages posts
I really hope some of those things were an overkill, but, like I said, I had to submit a review a total of 5 times, so on the last try I went all in...
Related
I'm trying implement a photo uploading to Google Drive feature (using the Google Drive API and GIS) into a web app that I'm working on, but can't seem to figure out how to keep a user authenticated for longer than the designated expiry time of the access token (which is 1 hour) without prompting the user or opening a popup.
The sample code provided at https://github.com/googleworkspace/browser-samples/blob/master/drive/quickstart/index.html forces the user to click a "refresh" button to get a new token, but this means I would have to force users to sign in every hour, which isn't ideal (since users are likely going to be using the app for periods longer than an hour at a time).
According to https://developers.google.com/identity/oauth2/web/guides/use-token-model#token_expiration, this appears to be intentional. However, after looking around quite a bit, I found that one could supposedly use a refresh token to generate a new access token that expires after another hour. Assuming you generate a new token every 45 minutes or so (which another Google article actually suggested, but I can't seem to find it now), then you should never have to worry about this re-authentication.
However, I can't figure out how to get a refresh token.
Not receiving Google OAuth refresh token suggests sending access_type=offline as a query parameter, but I'm not using any redirects, and the aforementioned documentation for initTokenClient and requestAccessToken don't make any mention of an access_type parameter.
The closest I've gotten is calling the requestAccessToken method periodically, but this still brings up a popup for the user to sign in again, which is what I'm trying to avoid. Even using requestAccessToken({ prompt: "" }) still brings up this popup window, but it at least logs in without any user input. Is there any way to disable this popup window entirely?
Worst case scenario, I force the user to re-authenticate every hour, but this seems like it would make for a less-than-ideal UX. Any help is appreciated.
I have stepped through GIS library code and can confirm that prompt='' and prompt='none' are not implemented the way requestAccessToken documentation implies. GIS always opens a pop-up window. The prompt parameter only changes what happens in the pop-up. There is also no token storage or caching features in GIS, only in pop-up.
The current prompt parameter behavior looks by design based on OAuth 2.0 flow comparison table. The access token should be refreshed only when user invokes an action that requires it.
This leaves us with pretty awful UX experience where pop-up has to briefly open and close every hour or so. Alternative is to use the authorization code flow. But it requires to implement a mechanism to send access token back to the client side from backend.
The button flow and consent popup behavior is intentional for browsers to obtain an access token, when configuring setting prompt to an empty string will suppress the user popup on every request: prompt=''.
Adopting the code model with auth code and exchanging the refresh token for access token is what you are looking for if you'd like to perform actions on behalf of the user without their being present or having to trigger a token request with a gesture such as a button press.
Sorry for the long question but I simply wonder: how do I add more time to be able to for example run my app during the whole day and be able to fetch calendar events through google API using oauth2 authorization...
I'm having issue in my project and get an error invalid_request in the terminal and I'm pretty sure it is because it kind of, does not let me try to get events after a certain of time.. which I think is around 1h approximately. I'm building my project with react, nodejs, express, using google API.
If you need more content let me please know! thank you
Google Access Tokens expire after 3600 seconds (default). You will need to refresh the access token periodically. You can do this without prompting the user if you requested offline access.
You can decode an access token. One of the fields is the expiration time (exp), so that you can determine when to refresh. See the second link below. You do not actually need to call a Google endpoint as you can decode the access token in code. If I remember correctly it is a base64 encoded JWT.
I am not sure what API you are using as there are several, but this link will point you in a direction on how to refresh access tokens.
Refreshing an access token
Calling the tokeninfo endpoint
If I go to the Graph API Explorer, get a User Access Token, and then go to /<page-id>/live_videos I can return a list of live videos from that page, including the status (VOD aka past, or LIVE) and the embed_html.
This is great but the problem is this User Access Token will expire. I want to be able to get this data as part of my website to show visitors whether we are live or not, and if so give them an option to open the video right there on the site. It shouldn't be something a user has to login in to allow my app to access FB on their behalf.
So I tried using an App Access Token which I got by using the App ID and App Secret of my page's 'Facebook App' as described in the Facebook docs here... but the Token that I get from this does not work; it tells me A user access token is required to request this resource.
Why must I get a User Access Token when it's my App (aka my website) that wants the data?
Honestly I didn't think it would be hard to get this information since it is a completely public page; I would have guessed you don't even need to authenticate, but probably just some need sort of identifying token for your app for rate limiting, etc. Is there any method like that?
I want to display one particular user's wall on the person's website. If I use the Graph API: https://graph.facebook.com/{id}/posts?limit=8&access_token={token}, it works for about 2 hours until the access token expires. What kind of solution would make it permanent? I understand that I need to use an app to achieve this, but can't find out how. A solution using either PHP or JavaScript is would be the best.
All suggestions are welcome!
You can extend a User Token to 60 days (more about that here and here, for example).
After that, you would need to refresh the Token, and you have to do that manually. User Profiles are not meant to be used for that, and you will not get read_stream approved in order to make it available for anyone who is NOT an Admin/Developer/Tester of your app. So this would be something only you can use.
You can show the feed of a Facebok Page though, there is an Extended Page Token that is valid forever. There is no User Token that is valid forever.
I've written a bit of JavaScript that will fetch all of the posts on a Facebook Page. The URL with which I do that is this:
http://graph.facebook.com/cocacola/feed?limit=5&callback=facebookResponse
and this worked fine and dandy, right up until last week sometime, when I started seeing oauth errors.
I've searched for an hour or so on Stack, and seen plenty of other people are trying to do this, - but none have been asked after all of my requests to FB started returning these oauth errors.
It really doesn't make sense, - I'm trying to access publicly available data from company pages. I can still do so without oauth (albeit in a limited fashion) via RSS.
Anyhow, I'm hoping someone can clue me in as to how to get this PUBLICLY AVAILABLE information without having to go through the rigmarole of getting an application ID, an authorization token, etc.
This is a recent not-so-recent change, but you now need an access token to access /feed and /posts. Annoying, but at least it's navigable.
Edit: updated the link, which has broken in the many years since this post was relevant. Here's the relevant text from that post for future posterity:
Breaking change: Graph API PROFILE_ID/feed and PROFILE_ID/posts requires access_token
The Graph API PROFILE_ID/feed/ for a Page, Application, User or Group and PROFILE_ID/posts for a Page or User will now require a vaild [sic] access_token to access the wall or posts of the corresponding object (where previously no access_token was required). This will also affect direct FQL queries to the stream table, when querying for posts on a wall.
You will need to pass a valid app or user access_token to access this functionality. Please update your code if you are calling this API without an access token. This change will go live a week from today - Friday(June 3rd). We have updated the Roadmap to reflect this change.
Moving forward, you should always pass a valid app or user access_token with all API requests.