I'm in need of more of an explanation than an answer, per se - I'm building a page tab, which will pull certain images from a particular album belonging to the page. This does not require an access token, so there is no need to ask for permissions from visitors.
I can add like/share options which also work fine without an access token or authorisation.
How do I get basic user info (id, name etc) without requesting authorisation? It's a page tab, on Facebook, so therefore the visitor must be logged in already.
Just seems counter intuitive if I have to request permissions to perform what is essentially pretty standard actions.
I'm using the javascript SDK.
It's a page tab, on Facebook, so therefore the visitor must be logged in already.
The user may be logged in to Facebook – but he is not necessarily connected to your app (yet). And you need him to be, to get his user id.
Make a call to FB.login without asking for any permissions in the scope parameter – that’ll prompt the user to connect to your app, giving it only “basic” permissions to read his personal data. That’ll give you his user id in the response.authResponse (and also will lead to his user id being included in the signed_request next time he visits your page tab).
After that, you can get his basic user info be calling /me via the Graph API.
Related
If I go to the Graph API Explorer, get a User Access Token, and then go to /<page-id>/live_videos I can return a list of live videos from that page, including the status (VOD aka past, or LIVE) and the embed_html.
This is great but the problem is this User Access Token will expire. I want to be able to get this data as part of my website to show visitors whether we are live or not, and if so give them an option to open the video right there on the site. It shouldn't be something a user has to login in to allow my app to access FB on their behalf.
So I tried using an App Access Token which I got by using the App ID and App Secret of my page's 'Facebook App' as described in the Facebook docs here... but the Token that I get from this does not work; it tells me A user access token is required to request this resource.
Why must I get a User Access Token when it's my App (aka my website) that wants the data?
Honestly I didn't think it would be hard to get this information since it is a completely public page; I would have guessed you don't even need to authenticate, but probably just some need sort of identifying token for your app for rate limiting, etc. Is there any method like that?
So I was very happy when Facebook approved my Chrome Extension app. Basically, it allows you to import your data from facebook into the local_storage in Chrome, then you can easily search your old posts. While it works like a charm for my account, when I switch to another account, login, approve the Facebook request for permissions, my user_feed data is empty. I am at a loss.
I am able to get user info, the image of the user, his/her name, etc. and I am able to retrieve an access token. But, when I make the call to the feed, it comes back empty:
https://graph.facebook.com/me/feed?access_token=EAAcu...&expires_in&limit=50&offset=1&fields=message,likes,story,created_time,link
(I have also tried injecting the ID for "me"). Again, this works great when it's my FB account (also the developer account). So, I don't think it is my code, the only thing that changes is the user...
Perhaps it takes a certain amount of time for the Facebook API to work even after Facebook approves your permissions request??
Use the Access Token Debugger Tool to see if the access token that you are getting back has user_posts permission listed under "Scopes". If it is not present, then you cannot use that access token to fetch the user's feed.
Note that user_posts permission requires approval prior to usage. If you are not approved, it will only work for people who have admin/developer role in your app.
Got it. I didn't see this anywhere in the documentation, but in addition to having your app's permissions approved by facebook, you must also include the scope as a query parameter:
https://www.facebook.com/dialog/oauth?client_id=${appId}&scope=user_posts&response_type=token&redirect_uri=http://someresponse.com
If anyone sees this in the documentation, please let me know.
I am looking to know is there a way to get a listing of photos in a specific album on a specific page (where both the album and page are public). Without the need to authenticate at a user level. I basically am looking to show a number of photos from an organisations page on that organisations website (however I dont want to show them all).
I have followed the examples here:
https://developers.facebook.com/docs/javascript/quickstart
and here:
https://developers.facebook.com/docs/graph-api/reference/v2.7/album/photos
but I cant appear to get a listing of photos. Is it possible to get such a listing without the user authenticating with FB first?
It is possible, you can use an App Access Token if the Page is not restricted by age or location, or a Page Access Token if the Page is restricted. App Tokens and Extended Page Tokens are valid forever, so you can just store those on your server to make the API calls. No additional user authorization needed.
Information about how to generate the different Tokens can be found here:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
I need to access status updates of an artist page to display as feed on my website.
So everytime a user accesses the artist' space on my website, he sees the artist's status feed in a tab.
Do I need to ask for the artist's permission every session? That would not be practical I guess.
Thanks
You only need to ask permission once, when the user logins for the first time.
If you use the client side JS SDK, that is really all you need to worry about. The access_token will be automatically refreshed by the SDK whenever needed. The user only needs to be logged in to facebook, no action is required.
You will most likely be using the JS SDK.
So unless you use a manual server side oauth flow, see below:
If you use a manual server side oauth flow you usually get a short-term access_token that is valid for 2 hours after the user logs in for the first time.
You can request a long term access_token by sending a request to oauth/access_token with some additional parameters:
See here:
https://developers.facebook.com/docs/facebook-login/access-tokens#extending
This long lived access_token is valid indefinitely, but may expire at ANY moment.
Reasons could be:
user password change
user logout
use de-authorizes app
...
So you are to just reuse the access_token whenever you want to interact with the users facebook account ( you don't have to ask them to log in again).
But as soon as your access_token becomes invalid, you have to update the acces_token by sending the user trough the oauth flow again.
So I'm developing my own API for my website - I'm mimicking the Facebook JS SDK in regards to how my system works. API client displays a button, popup comes up and the user can log in. Login popup issues an event to the opener window and the parent window now knows the user is logged in. That all works.
What I'm having trouble understanding is how they can verify that the refresh requests are valid. If the API client needs to send a request to the server to ask if the user is logged in and it's all in JS, then everything is transparent. The API client says, "Hi, I'm application 4jhkk2l3bnm389, is the user that's logged in on Facebook also authenticated with me? If so, can you send me a new token so I can make API calls?" and Facebook says, "Oh, you're application 4jhkk2l3bnm389? Yeah, the user is logged in and has allowed you to access their information, here's an access token."
But how does Facebook prevent an outside application that isn't the authentic application from saying, "Hey, I'M actually application 4jhkk2l3bnm389, I promise I'm not lying. Can I have an access token?"
I have no idea how they determine the difference. Obviously if it was all done through AJAX calls in modern browsers then you could just provide an Access-Control-Allow-Origin header. But if a malicious client were to use cURL then I don't think I could ever tell the difference. How does Facebook do it? A good explanation is much appreciated! Thanks!
All access tokens belongs to an app/user pair, and in order for Facebook to return such an access token to the app, these has to be verified.
The app, or client_id, is verified against the domain specified in the redirect_uri - if the page tries to use a client_id/redirect_uri pair it does not own, then it will not receive the access token as this will be passed to the valid redirect_uri (the mechanism the JS SDK uses follows the same rule).
The user, or uid, is verified using the cookie Facebook sets when you sign in.
While you can easily spoof the client_id/redirect_uri pair using curl, the same does not apply to the uid, as you would have to be in the possession of the users cookie. And if this is the case, well, then you could simply grant your own application access.
Facebook uses OAuth 2.0 for authentication. You can find details of how Facebook deals with OAuth right here: https://developers.facebook.com/docs/authentication/. There are many different ways OAuth can be used, depending on whether you're on a mobile device, a page on facebook.com itself, or, in your case, just a web page outside of facebook.com. The details of that final flow can be found here: https://developers.facebook.com/docs/authentication/client-side/.
Basically, Facebook knows what applications you have given permission to view your information. When you run one of those applications, they first make sure you are logged in to Facebook, then they request a user access token from Facebook, essentially saying, "Hey Facebook, I don't know this person, nor should I. Can I get access to their information?". And then Facebook looks internally and if it decides this particular application should have access to this user's information, it sends a user token.
That's the simple way of describing it. There are many different ways the authentication flow can happen, depending as I said earlier on what kind of device the request is happening from, whether this is a page on facebook.com, etc., essentially based on your security constraints. Best to read the Facebook authentication docs referred to earlier for the details since it can get quite tricky.