Facebook's July Breaking Changes: Graph search endpoint without access token - javascript

We're are developing a javascript facebook app which searches for users by using the graph api.
Currently we were informed by facebook that our app is using a graph search endpoint without an access token. Since we are doing all FB api calls from the js-sdk we thought a valid access token is always provided. I crosschecked this and e.g. the following request is made by the sdk:
https://graph.facebook.com/search?type=user&limit=10&offset=450&q=max&method=get&access_token=<TOKEN>&pretty=0&sdk=joey&callback=FB.__globalCallbacks.f3d041460c As you can see the call provides a valid access_token.
Our app is requesting the following scope from the user when he wants to use our app:
email read_friendlists read_stream user_events user_groups user_photos user_status
Checking this token with the graph api explorer's debug method does not show any errors: The token is valid, expires in one hour and it's assigned to me (a user).
What are we doing wrong? I haven't found a special scope for searching for users. Thank you.

Related

How to generate access token(for future use) for Google APIs using JavaScript?

I want to fetch the data(Pageview, Session, Users and all) from Google analytics and show it on another website but my problem is that I don't know how to get access token using JavaScript.
I referred some Google docs for getting access token Query Explorer, OAuth 2.0 Playground but this access token is expired in 60 minute and I want to save this access token for future use(long live access token). Anyone know about how to get access token using js or how to get refresh token for using future use.
Whenever I used expired access token and fire the API so I got this error:
{"error":{"errors":[{"domain":"global","reason":"authError","message":"Invalid Credentials","locationType":"header","location":"Authorization"}],"code":401,"message":"Invalid Credentials"}}
And my Google analytics API which is generated by Query Explorer included access_token.
https://www.googleapis.com/analytics/v3/data/ga?ids=ga%3A123456&start-date=2016-10-21&end-date=2016-11-20&metrics=ga%3Asessions%2Cga%3Apageviews&dimensions=ga%3AlandingPagePath&start-index=3&max-results=1&access_token=za29.aaaaaaaaabbbbbbbbbccccccccdddddddmmvermrm
Access tokens are only good for 60 minutes.
What you are looking for is a Refresh Token. Refresh tokens are used are good as long as they are valid. They can be used to request a new access token from the server at anytime.
Answer: It is not possible to extend the time that an access token is good for. It is not possible to get a refresh token with JavaScript. This is probably for security reasons.
Option: Switch to a server sided programing language if you want to get a refresh token. If this is your own personal account and you wont be accessing user data I would recommend you looking into service accounts instead. You will need to use a server sided language for service accounts as well.

Yammer authentication - check if token is valid

I'm using Yammer JS SDK to authenticate users to access some web service. I'm using JS SDK to obtain a token and I store it in session. Current flow is following (may be wrong, correct me, if necessary):
User accesses any page, PHP is checking for token stored in session vars. If not - user is redirected to login page
Using Yammer SDK I'm getting an access token and save it to session vars (POSTing it to our server side login service) and render the requested page.
Problem so far - I can't find any way in Yammer API to check if the access token stored\passed to my web service is actually the right thing. Which means, that potentially anyone can generate some random gibberish data, use that as a token and view content - the rest of Yammer functionality will be broken, but content will be visible.
The smartest way I thought of so far is to try and get some client info from Yammer REST API using the token and if response is invalid - delete the session stored token.
How do I do that the proper way?
Checking for HTTP status code 401 Unauthorized Access on a request is the only way I know of to determine if your Token is valid. There are a couple instances where you will get a 401 back with a valid token, but this is pretty rare.

Authorization Token for BOX API V2 obtained using scheduled script from Netsuite

I am using Box V1 API in conjunction with scheduled scripts (javascript) running in Netsuite
With the new V2 API and Authorization procedure, can I obtain Authorization Tokens without any user interface being required?
Does anyone have an idiots guide (ie for me) to the steps required to obtain a valid token.
Andy, with the V2 API the user must log in to Box and confirm that your application can access his/her data. Box has put together an authentication primer to walk you through the process. Once authorized, you'll receive an access token and a refresh token for the user. Your scheduled scripts can use the refresh token to indefinitely update the access token.

New authorization changes affect FB JS SDK?

On the roadmap Facebook states that they will make changes to the way we get accesstokens. Will this affect the way we login with Javascript SDK?
New security restrictions for OAuth authorization codes
We will only
allow authorization codes to be exchanged for access tokens once and
will require that they be exchanged for an access token within 10
minutes of their creation. This is in line with the OAuth 2.0 Spec
which from the start has stated that "authorization codes MUST be
short lived and single use". For more information, check out our
Authentication documentation.
Link: http://developers.facebook.com/roadmap/
On the roadmap Facebook states that they will make changes to the way we get accesstokens. Will this affect the way we login with Javascript SDK?
Of course it does not:
“We will only allow authorization codes to be exchanged for access tokens once, […]”
Did you ever have to exchange an authorization code for a token yourself when using the JS SDK to log in?
No, since FB.login returns an access token directly.

Facebook Graph API - access token for offline access (deprecation)

I'm trying to get my head round Facebook's recent deprecation of offline_access with access tokens. I'm using a JS plugin called neosmart FB Wall, which uses an AJAX call, with the access token appended, to request wall data. As I understand it and from just testing this morning, now if the Facebook user logs out, a new access token will be required and the previous one will be invalidated.
So basically I think I have to extend the plugin so that it checks the response from Facebook and if necessary, sends login credentials to request a new access token. The slightly confusing thing for me is that I have 5 sites which have been using the same plugin for over a year, and none of them have had any issues yet with the access token expiring, even though the Facebook accounts have been logged in and out of several times! Can anyone shed any light on what might be happening here? Thanks in advance for any help.
Since offline_access is deprecated you can create a long-life Facebook Access token. The developers of fb.wall released a new plugin: neosmart STREAM - the offical successor of fb.wall - This plugin contains a Facebook Access Token Creator which creates long-life access tokens. Project website: https://neosmart-stream.de

Categories