I'm trying to get my head around adding oauth2 to an API I've created.
Currently, I've got calls that require a unique key in the URL e.g.
https://apilocation.com/api/{unique_key_here}/action/
I've just added the ability for someone to get an access_token using:
https://apilocation.com/api/{unique_key_here}/oauth2/token
and a username + secret key
which works fine and returns the token in a JSON array.
https://bshaffer.github.io/oauth2-server-php-docs/cookbook/
is what I'm following
Where I'm stuck is how to best get them to use the access and pass it in their calls to the API. I could get them to get the token each time they want to use the API and then include that in all their calls so I can validate but that seems clunky. The background is built on PHP and MySQL and I want it to be easy for people who aren't very used to coding to be able to make calls.
I've looked at the following:
passing in the request url
passing it as a post var
partially as a header but felt it was clunky for a new user
Related
I know this question already has been discussed, But I'm here with a different way and a confusion.
First : if I do debugging in Graph API Explorer it returns different app_scoped_user_id and it return me correct json when I run graph.facebook.com/$app_scoped_user_id but with my app it generate different App Scoped ID which don't works with above method. Why that happen?
Second : I thought to get last redirect url using CURL but it returns http://www.facebook.com/login.php?next=http://www.facebook.com/app_scoped_user_id/$app_scoped_user_id . Now I've two thoughts (may be stupid thoughts),
Can I open that app scoped url in a popup window and get that window url after redirection and close the popup?
Can I login in Facebook anyhow using CURL so that i can get real user_id?
I know, app scoped user id can be used. But I want to give it a try.
Warning: Facebook old API in use
There's a way to get it, but you won't like it:
get the user to log in to your app via Facebook
make a second call to the API using the retrieved access token to get their username
https://graph.facebook.com/me?access_token={THE_ACCESS_TOKEN}
make a third call to that username without an access token to get their Facebook id
https://graph.facebook/{USERNAME} <= No access token here!
EDIT: sorry, old API is used here.
This may be duplicated with other articles, but I can't figure out how to do it after reading all of those.
I'm working on a back-end project in PHP and we are isolated from the front-end. According to the documentation from the front-end team, they will pass an access token and need the back-end to pull userid from Twitter's server.
Is there any way to do it? I could pull the data if I have oauth_signature and oauth_nonce, but they only give us the access_token.
I could pull the data if I have oauth_signature and oauth_nonce
That's not correct. oauth_signature is generated based on the application secret and request parameters. oauth_nonce is just a random string
So you need to get access_token and access_token_secret and perform a GET account/verify_credentials request
Further reading:
https://dev.twitter.com/docs/auth/implementing-sign-twitter
https://www.rfc-editor.org/rfc/rfc5849
Research and Reasoning
I haven't worked on a Facebook Application for a while, thus am a little rusty with how the Graph API works.
I have had a look at various topics and pages such as:
https://developers.facebook.com/docs/reference/plugins/activity/
How to Style Facebook Activity Feed
From what I can gather, getting the activity of a facebook page is pretty simple, however, before I proceed, there are a few things I would like to iron out before to ensure I build the app or write the script in the best possible way...
My Question
I would like to gather the status updates of a Facebook Like page and then feed this data to my News page on the website I am building.
My method would be a simple call to the Graph API to gather the data, and then display it on screen.
My question is, can I do this without creating a Facebook App, and therefore do I even need the PHP SDK?
Is it possible to achieve it like so and are there any request limits:
$url = 'https://graph.facebook.com/LIKE_PAGE_ID/feed';
$result = json_decode(file_get_contents($url));
If the above is the correct answer to this question then please let me know and I will close this question
Update
I have tried the above URL with my like page and it says that I need an Access Token. This is what I feared... Is it possible to get this data without being logged in, and without having set up a Facebook Application?
Why not create a Facebook app and use App Access Token to retrieve the feed for the Public pages.
Though you might get feed of some pages without app access token or response for different end points without access_token, but as the Facebook's API is constantly changing, and would finally settle with authorized request to their end points, I would suggest you to use the App Access Token which is can be created with the format
App_ID|App_Secret
So instead of your call for $url that you had you can change it to
$url = 'https://graph.facebook.com/LIKE_PAGE_ID/feed?access_token=App_ID|App_Secret';
Which you can then json_decode. Also there is nothing on binding to use PHP SDK, and in your case, it is not even required.
I have created an app, and now i want to post a message on one of my pages wall with use of the new Graph API. Is this do-able?
below is the steps which i do
Using this to Get access code
https://www.facebook.com/dialog/oauth?client_id=1498653617947&redirect_uri=https://apps.facebook.com/post_on__my_page/index2.html&scope=email,read_stream,publish_stream,manage_pages,offline_access
Than use this to get access token
https://graph.facebook.com/oauth/access_token?client_id=1498653617947&redirect_uri=https://apps.facebook.com/post_on__my_page/index2.html&client_secret=seceret&code=AQDCqJNJnCvnFKVdbCyTp2vfzbT0ADbNgYsQ_2YtDdC_O2aIOwvkjx52HNcp3uiuBANJqOhb_M2sptB-lRrIECZxi5kZpzljez1J1oOtTp25gTnNDmV-RCVvR97DMiRAprNtwUBcstAotjsyYo5cNwJCWnkcgNigwhbQtE5Jp22sluVcZKhnO43cWQE#_=_
Now get page id and page access token from below
https://graph.facebook.com/me/accounts/?access_token=the_access_token_above
*use this to post on my page *
https://graph.facebook.com/1916117518646/feed?message:testmessage&access_token=aceess_token
any one please explain which point is wrong because instead of posting is just show posts details
i found that some thing wrong in this below code any one please suggest what and how to do
https://graph.facebook.com/1916117518646/feed?message:testmessage&access_token=aceess_token
I always highly suggest to people experimenting around for the first time to use the Graph API Explorer tool. It helps solidify the structure of the Graph and how to access it. See https://developers.facebook.com/tools/explorer
Another thing I always recommend is to lint the access_token you are trying to use. See https://developers.facebook.com/tools/lint. This is to ensure you have the right token with the correct permissions.
Also the access_token you use to post to a page must be a page token and not a user token. In your above example, it's unclear as to which one you're using since you've named both the same. I know you said you're using it, but with that variable name being the same, I always wonder.
Also the you need to do an HTTP Post and not an HTTP get to post a message. Again, play around in the graph API explorer until you can do it there. Once you've done it there, it's fairly trivial to do it with one of the SDKs.
You need to perform POST request, not GET, and pass parameters in POST body, not in the url
http://developers.facebook.com/docs/reference/api/user/#posts
http://facebook.stackoverflow.com/questions/691425/how-do-you-post-to-the-wall-on-a-facebook-page-not-profile
I have made a custom ajax script to parse the JSON returned from the facebook graph API feed.
I have come to terms with the fact that the access token expires, so in order to get another one I can make a request to
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECURITY
where APP_ID is the app id and APP_SECURITY is the app security values registered with my facebook app development account.
However I'm worried, because I'm making these requests via ajax, therefore anybody with basic chrome/firebug knowledge could access my app_id, app_security and access_token variables (from now on known as 'The Variables') held within my javascript file.
I am unsure as to what users can do this this kind of information?
Does the access token provide purely a read-only JSON output of my facebook page? Or can this information be used for more malicious purposes?
Now: before anybody replies saying that I should use php to get fetch the JSON and parse etc... I cannot, because the customer requirement is to use ajax, for the obvious asynchronous benefits.
If the variables pose no threat to my facebook account and can be only used for read only purposes, then I'll get on with my programming!
If however they must be kept secure... How can I securely pass the variables to javascript in order to keep the variable hidden?
PS. I already have pre-written php scripts to attain the variables. Just after a method to keep them secure when passing to the javascript (if necessary)
Thanks
Alex
As Commented, Never Display APP_ID and APP_SECRET publicly.
Read This. You will find out a way to automatically find your access token using php.
Using this php file, make an ajax call to it, and it will return your new access token.