Till 3 days ago, our login service was working fine. Now its broken by a unknown problem with Facebook oAuth.
Our app (built with React Native using native FBSDK), ask for Facebook for an Access Token and forward it to our API.
LoginManager.logInWithReadPermissions(['public_profile', 'email'])
Then, our API try to validate the token against Facebook Graph API. Basically we do this:
public static function getInformationFromFacebook($accessToken)
{
$facebook = new Facebook([
'app_id' => config('services.facebook.app_id'),
'app_secret' => config('services.facebook.app_secret'),
'default_graph_version' => config('services.facebook.default_graph_version'),
]);
try {
$response = $facebook
->get('/me?fields=first_name,last_name,email,picture.type(large)', $accessToken);
} catch (FacebookResponseException $e) {
Log::error(sprintf('Graph returned an error: %s', $e->getMessage()));
throw new \Exception("Facebook graph error.");
} catch (FacebookSDKException $e) {
Log::error(sprintf('Facebook SDK returned an error: %s', $e->getMessage()));
throw new \Exception("Facebook SDK error.");
}
$graph = $response->getGraphUser();
return [
'first_name' => $graph->getFirstName(),
'last_name' => $graph->getLastName(),
'email_address' => $graph->getEmail(),
'picture' => $graph->getPicture()->getUrl(),
];
}
This piece of code uses Laravel 5.2 running with PHP 7.2 with the native Facebook SDK.
The expected behavior is an array with the user data, but it only works at local environment, when we try to debug this on staging server, the scopes from the user's access token are lost.
We discovered that we scopes are lost using this Facebook debug tool
// The OAuth 2.0 client handler helps us manage access tokens
$oAuth2Client = $facebook->getOAuth2Client();
// Get the access token metadata from /debug_token
$tokenMetadata = $oAuth2Client->debugToken($accessToken);
echo '<h3>Metadata</h3>';
var_dump($tokenMetadata);die;
Basically, when we're at the local the scopes are
'scopes' =>
array (size=2)
0 => string 'email' (length=5)
1 => string 'public_profile' (length=14)
when we change the call to the staging environment, the result is
["scopes"]=>
array(0) {
}
We tried all kind of things, even updating our SDK.
Related
I followed these instructions and some others to create an app and get tokens: facebook: permanent Page Access Token?
I used the following php code to post using the app:
<?php
require_once 'src/Facebook/autoload.php'; $fb = new \Facebook\Facebook([ 'app_id' => 'apkey', 'app_secret' => 'appsecret', 'default_graph_version' => 'v2.10', //'default_access_token' => '{access-token}', // optional ]);
$linkData = [
"message" => "Wonderful message.",
]; $pageAccessToken ='pageaccesstoken';
try { $response = $fb->post('/targetfeed/feed', $linkData, $pageAccessToken); } catch(Facebook\Exceptions\FacebookResponseException $e) { echo 'Graph returned an error: '.$e->getMessage(); exit; } catch(Facebook\Exceptions\FacebookSDKException $e) { echo 'Facebook SDK returned an error: '.$e->getMessage(); exit; } $graphNode = $response->getGraphNode();
?>
I replace the keys and specific data with description.
My issue is that when I run this script it posts to the feed, but it posts as the app owner. I created the app in my personal account, and went through the token process using that account. I was granted admin access to the account that I want to post to, but when I post to that account it is posting as my person page and I instead want it to post as if I am posting as the account that I am posting to.
I am sure it some access token setting or permissions things, but I cannot figure it out. Any suggestions?
I'm currently trying to implement a way to synchronize my PHP App calendar with the Outlook calendar of my clients, using Azure API.
I use OAuth2 and the custom Microsoft provider by Steven Maguire.
I currently run in an issue where I get an error in my response :
{"error":"unsupported_grant_type","error_description":"The provided value for the input parameter 'grant_type' is not valid. Expected values are the following: 'authorization_code', 'refresh_token'."}
I'm having trouble understanding why the grant_type password is not supported, even though it says on the documentation of Azure that it is.
The request looks like this :
client_id=44bef79b-**********************&client_secret=H****************&redirect_uri=https%3A%2F%2F192.168.1.123%2Fmapeyral%2Fcalendarsync.php&grant_type=password&username=******************&password=***********&scope=openid%20profile%20offline_access%20Calendars.ReadWrite
The Authorize url used is : https://login.live.com/oauth20_token.srf
as defined in the Steven Maguire provider.
The header contains the content-type application/x-www-form-urlencoded (I've seen a lot of post where this was what caused the error).
Some of my code :
$this->provider = new Microsoft([
'clientId' => MicrosoftGraphConstants::CLIENT_ID,
'clientSecret' => MicrosoftGraphConstants::CLIENT_SECRET,
'redirectUri' => MicrosoftGraphConstants::REDIRECT_URI,
'urlAuthorize' => MicrosoftGraphConstants::AUTHORITY_URL . MicrosoftGraphConstants::AUTHORIZE_ENDPOINT,
'urlAccessToken' => MicrosoftGraphConstants::AUTHORITY_URL . MicrosoftGraphConstants::TOKEN_ENDPOINT,
'urlResourceOwnerDetails' => MicrosoftGraphConstants::RESOURCE_ID,
'scope' => MicrosoftGraphConstants::SCOPES
]);
if ($_SERVER['REQUEST_METHOD'] === 'GET' && !isset($_GET['code']))
{
// Try getting access token from Database
$workingAccount = $GLOBALS['AppUI']->getState('working_account');
if (isset($workingAccount))
{
// DB access
$DB = new DatabaseConnection();
$dbAccess = $DB->getConnection();
$contactData = DBUserUtils::getContactDataFromEmail($GLOBALS['AppUI']->getState('working_account'), $dbAccess);
// If at least one user contact found
if (!is_null($contactData))
{
// If has refresh token => fill session variables using refresh token
if (!is_null($contactData['contact_refreshToken']))
{
log_msg('debug.log', 'Has refresh token');
$GLOBALS['AppUI']->setState('preferred_username', $contactData['contact_email']);
$GLOBALS['AppUI']->setState('given_name', $contactData['contact_first_name']." ".$contactData['contact_last_name']);
// Get new tokens
$newAccessToken = $this->provider->getAccessToken('refresh_token', [
'refresh_token' => $contactData['contact_refreshToken']
]);
// Update tokens and DB
$GLOBALS['AppUI']->setState('refresh_token', $newAccessToken->getRefreshToken());
$GLOBALS['AppUI']->setState('access_token', $newAccessToken->getToken());
DBOAuthUtils::updateTokenForUser($contactData['contact_id'], $GLOBALS['AppUI']->getState('refresh_token'), $dbAccess);
$this->redirectTo($redirectURL);
}
else
{
$this->getAccessToken();
}
}
else
{
$this->getAccessToken();
}
}
else
{
$this->getAccessToken();
}
function getAccessToken(){
$accessToken = $this->provider->getAccessToken('password', [
'username' => '*************',
'password' => '********',
'scope' => MicrosoftGraphConstants::SCOPES
]);
}
During the first try it doesn't pass the if (isset($workingAccount)) condition (as expected) and go straight to the last else.
Code is a bit ugly for now but I don't think it has an impact on my problem.
Any help would be appreciated !
Thanks
Edit : added code
That helped me, the problem was that I need to use Azure Active Directory and not Azure AD 2.0.
Problem solved !
I'm using v5.0 of Facebook's PHP SDK and have already set up an app.
I would like to get a list of friends via the Graph API using the SDK. To illustrate my implementation, this is the code in which I am trying to get lists of friends on Facebook:
public static function getFriends($access_token)
{
$facebook_app_id = env('FACEBOOK_APP_ID');
$facebook_app_secret = env('FACEBOOK_APP_SECRET');
$facebook = new Facebook([
'app_id' => $facebook_app_id,
'app_secret' => $facebook_app_secret,
'default_access_token' => $access_token,
'default_graph_version' => env('FACEBOOK_API_VERSION') // v2.7
]);
try {
$facebook_request = $facebook->get('me/taggable_friends');
$friends = $facebook_request->getGraphEdge();
$all_friends = $friends->asArray();
if ($facebook->next($friends)) {
while ($friends = $facebook->next($friends)) {
$all_friends = array_merge($friends->asArray(), $all_friends);
}
}
return $all_friends;
} catch (\Exception $e) {
throw $e;
}
}
When the above method is called, it shows a Invalid appsecret_proof provided in the API argument exception message. Digging around, I read that passing a separate parameter of appsecret_proof will get rid of this, however, I've already tried using the App Token of my app taken from the Access Token Tool page to get the value for the appsecret_proof and I still get the error.
And to add, the Require App Secret in my app settings is set to No and yet I still get the same error. Am I missing anything or am I passing the wrong values in getting appsecret_proof?
In my PHP application, users provide their own Facebook Application ID and Application Secret. I need to validate them and display nice error if they are invalid.
I already found a nice way to do it. I can make a request to https://graph.facebook.com/oauth/access_token?client_id=123456&client_secret=abcdefg&grant_type=client_credentials
If credentials are invalid, the response is as follows:
{
"error": {
"message": "Error validating application. Cannot get application info due to a system error.",
"type": "OAuthException",
"code": 101,
"fbtrace_id": "D8oHjJoc2Nc"
}
}
I'm confused about the ways to do it with PHP SDK. There's a neat get() method to make such a request, but I'm not sure how to send request without authorizing the application. This is what I did:
$app = new Facebook\FacebookApp( $app_id, $app_secret );
$access_token = $app->getAccessToken();
$query = http_build_query([
'client_id' => $app_id,
'client_secret' => $app_secret,
'grant_type' => 'client_credentials',
]);
$facebook = new Facebook\Facebook( [
'app_id' => $app_id,
'app_secret' => $app_secret,
'default_graph_version' => '2.5',
] );
$response = $facebook->get( '/oauth/access_token?' . $query, $access_token );
I'm getting the following error:
Unknown path components: /oauth/access_token
But even if it worked, it's strange to call it with any sender credentials. Is it possible to make an "anonymous" Facebook request with PHP SDK?
The SDK implicitly adds the API version number specified to the path in -> get(), so I think that's causing your error here because the underlying call is being made to /2.5/oauth/access_token (fails for me in a browser)
It should be /v2.5/oauth/access_token (works for me in a browser)
Update default_graph_version to v2.5 and try that
I am following the docs from link below:
https://developers.google.com/+/mobile/android/sign-in#enable_server-side_api_access_for_your_app
Specifically the part that says:
If you do not require offline access, you can retrieve the access token and send it to your server over a secure connection. You can obtain the access token directly using GoogleAuthUtil.getToken() by specifying the scopes without your server's OAuth 2.0 client ID. For example:
I retrieve the access token like this:
accessToken = GoogleAuthUtil.getToken(
AuthenticatorActivity.this,
Plus.AccountApi.getAccountName(Common.mGoogleApiClient),
"oauth2:https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.login email"
);
After I retrieve the access token I send it to a web server, on the web server i can see that it's a valid access token by calling
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token='.$_POST['google_access_token']
The request above returns the android apps client id, it also returns the users email correctly.
The problem is that when I try to run $client->authenticate($_POST['google_access_token']); I get an exception with the message: "invalid_grant: Incorrect token type".
To prevent getToken caching I always invalidate the token in android app:
if (accessToken != null && !accessToken.isEmpty()) {
GoogleAuthUtil.invalidateToken(AuthenticatorActivity.this, accessToken);
}
Here's the php code:
if (!isset($_POST['google_access_token'])) {
throw new Exception('missing google_access_token');
}
$client = new \Google_Client();
$client->setApplicationName("GiverHub");
$client->setClientId($this->config->item('google_client_id'));
$client->setClientSecret($this->config->item('google_client_secret'));
$client->setDeveloperKey($this->config->item('google_developer_key'));
$client->setRedirectUri($this->config->item('google_redirect_uri'));
$client->setScopes([
'https://www.googleapis.com/auth/plus.login',
'https://www.googleapis.com/auth/plus.me',
'email',
]);
try {
$client->authenticate($_POST['google_access_token']); // if i remove this the rest of the code below works! ...
$reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token='.$_POST['google_access_token'];
$req = new \Google_Http_Request($reqUrl);
$io = $client->getIo();
$response = $io->executeRequest($req);
$response = $response[0];
$response = json_decode($response, true);
if ($response === null) {
throw new Exception('Failed to check token. response null');
}
if ($response['issued_to'] !== '466530377541-s7cfm34jpf818gbr0547pndpq9songkg.apps.googleusercontent.com') {
throw new Exception('Invalid access token. issued to wrong client id: '. print_r($response, true));
}
if (!isset($response['user_id'])) {
throw new Exception('Missing user_id');
}
if (!isset($response['email'])) {
throw new Exception('Missing email');
}
/** #var \Entity\User $user */
$user = Common::create_member_google([
'id' => $response['user_id'],
'email' => $response['email'],
'given_name' => '',
'family_name' => '',
]);
$user->login($this->session);
if ($user instanceof \Entity\User) {
echo json_encode( [ 'success' => true, 'user' => $user ] );
} else {
echo json_encode( [ 'success' => false, 'msg' => $user ] );
}
} catch(Exception $e) {
echo json_encode(['success' => false, 'msg' => $e->getMessage()]);
}
The above code works if i remove the $client->authenticate(); line ... The problem is that I can't get the given_name / family_name etc .. only email / google_user_id from the tokeninfo ...
Any thoughts about why the key works for tokeninfo but not for authenticate?
I have tried many different variations of the scopes .. both on the server side and the android side ..
The $client->authenticate() method doesn't quite do what you're trying to do. It takes a one-time code from an earlier OAuth transaction and exchanges it for the access token. In your case - you're saying you already have the access token.
You should be able to call $client->setAccessToken() to set the token instead, so it may look something like
$client->setAccessToken($_POST['google_access_token']);
This is the solution I came up with after user158443 suggested I use $client->setAccessToken();
// first json_encode the access token before sending it to $client->setAccessToken();
$json_encoded_access_token = json_encode([
'access_token' => $_POST['google_access_token'],
'created' => time(), // make up values for these.. otherwise the client thinks the token has expired..
'expires_in' => time()+60 // made up a value in the future...
]);
// and then set it
$client->setAccessToken($json_encoded_access_token);
// and then get userinfo or whatever you want from google api !! :)
$oauth2 = new \Google_Service_Oauth2($client);
$user_info = $oauth2->userinfo->get();
NOTE: it's probably not smart to "emulate" the expires_in and created that i just did if you are in production ... You should probably call tokeninfo first and get the expires time from there...
NOTE: I still have no idea how to get a refresh token for this... but I don't need one for my use case..