I'm developing a node.js app which manages a Facebook page among other functionalities.
To comment on user submitted posts, I use the following code in node.js:
FB.api(object + '/comments','post',
{ message: COMMENT_I_WANT_TO_SUBMIT, access_token: MY_PAGE_ACCESS_TOKEN },
function(res){
// deal with res
}
);
When using my short-lived Facebook page access-token (which I get from Graph API Explorer) the comment submitted is shown as a comment submitted by the page itself (what I want), but when I use my permanent token it is shown as submitted by myself (page owner).
To get this permanent token I followed these instructions:
https://stackoverflow.com/a/28418469/4713311
The token has my name associated to it since I had to grant permissions to manage the pages I own to generate the token.
I believe this token has the proper permissions since the token debugger shows the following permissions in scope: "manage_pages, publish_pages, publish_actions, public_profile"
Is there any way I can use this never expiring token to comment on posts with the page name instead of my own?
A Page Access Token should have not only "User ID" but also "Profile ID" associated, which wasn't the case for the extended page access token.
A Page Access Token isn't "extendable", to get a permanent page access token I had to request one with a permanent User Access Token, as explained here
Using as short-lived access token I got from Graph API Explorer (Select App -> Get Token -> Select permissions manage_pages, publish_pages, publish_actions and other you may need -> Grab the token that fills the "Access Token" text box) I made the following call to extend the token.
https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id={app-id}&client_secret={app-secret}& fb_exchange_token={short-lived-token}
Using the token returned, you can simply call /me/accounts and copy the page's access_token
This token is a permanent Page Access Token, to confirm you can use the token debugger and verify it has your "User ID" and your page's "Profile ID"
Related
I was trying to publish something to Facebook page.
From this article, it seemed really easy to publish using Facebook API
So, I create a Facebook page and made sure that I have all the required permission for the given auth token, opened by Postman and created a POST request to following URL (along with attaching my access token bearer)
https://graph.facebook.com/2984640844138/feed?message=HeyWhatever
This is giving me following error
{
"error": {
"message": "(#200) If posting to a group, requires app being installed in the group, and \\\n either publish_to_groups permission with user token, or both manage_pages \\\n and publish_pages permission with page token; If posting to a page, \\\n requires both manage_pages and publish_pages as an admin with \\\n sufficient administrative permission",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "D1z1soQbTE2"
}
}
I am not sure about what I am doing wrong, perhaps my request is incorrect or I am not using postman correctly.
This is what I am doing in Postman (screenshot below), can someone point me out what I am doing wrong? Also, suggestions are also welcome
I would recommend you use the Facebook Graph API Explorer, which provides you with the tools to generate the access token with appropriate permission and also craft your HTTP requests with ease. Visit the same, generate a token, then head to the Access Token Debugger to double check the scopes of the token.
Currently I'm facing the following problem:
I'm building an application with a standalone login view.
Let's assume they both run on different domains. My login view communicates with a REST service on the server that issues a JWT token.
With this issued token the user should now be able to view (be forwarded to) the application. But this application - as mentioned - runs on another domain (or subdomain, maybe).
In my mind I tried the following:
Token is issued by the server. A hash is stored in a database and the hash is issued to the user. The hash is transferred to the application via URL and the applications checks the hash.
Token is issued by the server. The token is transferred to the user. When the user now opens the application (or is forwarded to...) the token should be transferred there, too. I have no clue how to do...
Both are not ideal ways, i know. But I really don't know how I can achieve that...
I hope anyone is able to help me with my thinkings?
If anything is unclear, just comment.
Thanks in advance!
Facebook, Twitter, Google, etc. offer OAuth by redirecting (302 Redirect Request). Basically your app starts if user has a valid token everything is fine, else it will open the Login-Page from the Identity Provider (e.g. Google) and return the token, if the login was successful.
This graphic shows the general steps:
https://www.soapui.org/soapui/media/images/stories/oauth2/oauth2flow.png
Hope this helps.
Lets assume you have two services in 2 different domains. One is your identity provider which generates tokens and holds the token <--> user assignment (we call it: idp.my.company). The other one is any application that does stuff but needs to login via idp.my.company (we call it app.my.company).
You have two scenarios:
1. Login without having a token aquired before.
2. Login with token.
Request GET: app.my.company
Response 302: Moved to: idp.my.company
Take a look which redirection type follows your needs (307 maybe)
https://en.wikipedia.org/wiki/URL_redirection
You need to add an information where to redirect back. In this case app.my.company.
[This happens automatically because of the Redirect] GET: idp.my.company/login.html.
Response 200 OK: idp.my.company/login.html
The User will now see the Login-Page of your IDP-Service and perform a Login.
Request POST: idp.my.company/login.html (or whatever)
The User posts his credentials to aquire a token
Response 302 Redirect: If login is successful, return token and now redirect to the origin site (app.my.company) which you provided earlier.
Request GET: app.my.company/afterlogin.html
The header contains a valid token
Response 200 Ok: Now the app.my.company service needs to check if the token is valid and if true return 200 Ok otherwise redirect again to IDP (start over at step 2).
This should be it. There could be errors but you should have a consistent picture of the process and get a grasp on how to implement it. Those steps cover scenario 1 and 2.
I Had the following code
$client->setClientId('39605174446-s067746s1jur731n49fujigfh8occ5pa.apps.googleusercontent.com');
$client->setClientSecret('MYCLIENTSECRET');
$client->setRedirectUri('http://examplesss.com/oauth2');
$client->setScopes('https://picasaweb.google.com/data');
$client->setAccessType("offline");
I did authenticate
At my Google Console API, I set it for "Web Application", Authorization Javascript origins I leave it blank.
Authorization Redirect URI I set it as
http://example.com/oauth2
I went to the following site to get my authorisation code
https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=&client_id=39605174446-s067746s1jur731n49fujigfh8occ5pa.apps.googleusercontent.com&redirect_uri=http://example.com/oauth2&response_type=code&scope=https://picasaweb.google.com/data&state=state
When I went into the site, I press ok to grant "offline access" . After that I am redirect to an none existent site which I use that is example.com and then the URI was something like
http://example.com/oauth2?state=stat&code=4/qWt9q19VtilG6Iw6HFte4RnpiXR0a5q80_zQAU-hNqc#
$client->authenticate('4/qWt9q19VtilG6Iw6HFte4RnpiXR0a5q80_zQAU-hNqc#');
Then I get my refresh token code
$client->refreshToken('1\/vYnZlRcvaY2nD0yh5LhU9paLZZggMArGOo-3rEJHGCM');
But when I run the code it say...
PHP Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{
"error" : "invalid_grant"
Wonder what went wrong, I just want to access my picasa web album.
Thanks
It can be 2 things. One, is the incorrect use of the versions of the Google API client or the one I think that is the problem, it's on the refresh token and how you're passing the token. It's a problem with the / character in the string, json enconding and how it's passed. Put the refresh token in double quotes and send the variable. If all the data is correct and authorized via Google, it should work.
I am trying to do Facebook authentication in same window of my web application's login page.
I am using following code when user clicked login button to go to authentication page.
function loginUsingOAUTH()
{
top.location = 'https://graph.facebook.com/oauth/authorize?client_id=839846246064537&scope=email&redirect_uri=http://www.olcayertas.com/testqa/result.html';
}
1) After authentication Facebook redirects me to my redirect url and returns a parameter "code".
At this point I want to access Facebook user information but I don't know how to do that.
What is this "code" parameter for?
2) Is there any other way to access user information?
3) Do you have any other advice facebook authentication with same window login?
Thank you in advance for your help
When you get the code you should make a server side request to get an access token and than pass the access token to user. It is explained in Facebook Developer page:
Exchanging code for an access token
To get an access token, make an HTTP GET request to the following
OAuth endpoint:
GET https://graph.facebook.com/v2.3/oauth/access_token?
client_id={app-id}
&redirect_uri={redirect-uri}
&client_secret={app-secret}
&code={code-parameter}
This endpoint has some required parameters:
client_id. Your app's IDs
redirect_uri. This argument is required and must be the same as the original request_uri that you used when starting the OAuth login
process.
client_secret. Your unique app secret, shown on the App Dashboard. This app secret should never be included in client-side code or in
binaries that could be decompiled. It is extremely important that it
remains completely secret as it is the core of the security of your
app and all the people using it.
code. The parameter received from the Login Dialog redirect above.
Response
The response you will receive from this endpoint will be returned in
JSON format and, if successful, is
{“access_token”: <access-token>, “token_type”:<type>, “expires_in”:<seconds-til-expiration>}
If it is not successful, you will receive an explanatory error
message.
I've seen a lot of examples, and read some articles to know well about the access token expiration and it was explained pretty well in this article, Access Token Expiration.
I know how to renew the expiration access token. However, the problem is that, as explained in the article, there are possibly 4 reasons for expiration of access token .
Hence, there is no certainty when the access token will be expired and it can be at anytime. The conventional solution is by using offline_permision which will be deprecated by FB soon.
Here is what I'm trying to achieve:
Once the access token expired, and while when user is using our facebook app, I want FB to notifies me.
Once receiving notification, renew the access token.
I don't think the following achieves what I want.
FB.Event.subscribe('auth.authResponseChange', function(response) {
alert('The status of the session is: ' + response.status);
});
Hence, is there any way to have notification from FB when the access token is expired ?
When you try to access the API with an expired token, Facebook will send back an error message. You just check for that error in your callback function that handles the Facebook response, and if an error exists, refresh the token and try the API call again.
From Facebook:
Facebook doesn't notify you that a previously issued access token has become invalid. Unless you have persisted the expiry time passed to your application along with the access token, often the first your application knows that a given token has become invalid is when you attempt to make a request to the API.