How to I revoke the access token? I unset and destroy the session, which works fine to remove the data, but when I log in again, I'd like to be able to log in with a different Facebook account (it automatically logs me in to the account I had previously logged in with).
I've read over the docs but clearly I am missing something. Can anyone help me out on this?
You have 2 options:
Log into to your Facebook account and in your settings find a list of authorized apps. Then delete the app's access to your account. This should disable futher autologins.
Do it through REST API. You need to send DELETE to PROFILE-ID/permissions as it is described in the docs.
Note: You can also use me instead of your id:
# Revoke access of currently logged in user
DELETE /me/permissions
# Or if you want to revoke access for a specific user
DELETE /{user-id}/permissions
Related
I'm using Microsoft Graph API for integration of microsoft/outlook calendar in my app.
API reference is here
I want to revoke user's access of their calendars from my app but didn't find any way to do so. I tried with following api but no luck:
DELETE https://graph.microsoft.com/v1.0/users/{user_id}
Well, that command would delete the user entirely. So while that would certainly remove them from the calendar, I'm guessing this isn't the outcome you're looking for. :-)
If you're looking to remove the permission for your app, there are a couple of ways to trigger this:
Simply stop requesting that user's calendars from your app. This won't revoke permission to the calendar however so this likely isn't sufficient.
Drop Calendars.Read and Calendars.ReadWrie from your list of requested scopes.
In order to ensure this change is reflected in the user's account, you'll need to re-authenticate the user with the query param prompt=consent auth URI.
Have the user revoke permission for your application entirely. This is done by visiting https://myapps.microsoft.com.
There are certain apps that a user cannot directly revoke. These are apps who were granted access at the organization level. To revoke these, an Administrator will need to do this in the Azure Portal.
I'm trying to build a dashboard using Google Analytics Reporting API, in order to create reports for my company's clients.
The problem is that I need to create reports using a cronjob, but this requires an authentication. I tried the following approaches :
1. Using the API for web applications :
I managed to make this work, but the OAuth2 process forces me to authenticate into Google by redirecting me to the Google login page. Once logged in, the token is created and my report is generated. But I couldn't find a way to authenticate automatically without a user intervention (i.e. filling the Google login form)
2. Using the API for service accounts :
With this solution, I am able to create reports without manually logging into Google, which is awesome. But this method requires me to add the service account to the Google Analytics account, by adding the newly created user XXXXXXXX#PROJECT-ID.iam.gserviceaccount.com to each of the Google Analytics view I wish to access. I can't do that, as some of the views I'm trying to access are managed by my company's clients and I can't ask each of them to add yet another Analytics user.
I need to be able to access the Analytics views using the user e-mail already configured. I tried to add this address as the owner of my service account in the Service Accounts Manager, but no luck (see screenshots hereafter).
Is there any way I can either use the API for web applications with a static token (i.e. without having to manually log into Google), or use the API for service accounts without having to add the Google-created user in each of my Analytics views ?
I'm at a loss here, so any advice will help.
Due to the fact that you don't have control of all of the accounts as you said you wont be able to use a service account.
There for you will have to use Oauth2. Someone will have to authenticate your application the first time. Once access has been granted the first time you will be given an access token to access the API and a refresh token. If you store this refresh token you will then be able to request a new access token from your cron job when ever you like in order to run your reports.
The trick is saving the refresh token associated with each users account. Your clients will have to authenticate the application to grant you access. You store the refresh token. The refresh token shouldn't expire (there are a few reasons why one might) you will be able to gain access when ever needed.
Note: You can also place the service account email at the account level will give you access to everything. But this wont help you with clients you don't have access to.
Update:
Refresh tokens will not expire except under:
A refresh token not used for 6 months will also expire.
users can go to App settings on there google account and revoke your access at anytime.
A user can re-authenticate your application (same client id) 26 times giving you 26 different refresh tokens, after number 26 the first refresh token will expire. You can only have 26 working refresh tokens for a single user. Make sure you always save the newest refresh token.
As far as I know, the intended method for cron jobs is to use API for service accounts, just as you have described. However, it seems to be an expected and appropriate behavior, that you cannot access a random view just by providing its ID with your service account, without prior authorization from the owner of the view. Without this settings, Analytics will not know about your relationship to your client, and therefore refuse access to data.
I'm not sure, if it is supported, but you could try to add your service account on property or Analytics account level, so that all connected views inherit this setting.
When I try to get a page_access token with 'manage_pages' permission, i get following warning
The following permissions have not been approved for use: manage_pages. If you make your app public, they will not be shown to people using your app. Submit them for review or learn more.
I am the admin of this facebook page.
Trying to retrieve My Fanpage's reviews in my website, through php sdk v4.
From v2.0 onwards, the permissions other than public_profile, email and the user_friends need to the submitted for review before you can make your app live; else you wont be able to use them. Only the testers/admin/developers of the app will be able to test with those permissions until the permissions are reviewed.
If you want to skip the review process, you can keep your app in the dev mode and use the page access token that will never expire. To generate such token , see the steps mentioned here.
I am building a site in php which uses facebook login to grant access. When the user logs out I want to log them out of facebook as well as my app. I have looked everywhere to find out how to do this but there is nothing out there apart from a tutorial the facebook developer page that explains how to log the user out while also revoking the permissions they granted you when they logged in. I dont want to do this, I just want to log the user out of my app and facebook without revoking permissions. Is this possible with the server side sdk?
If you are using the PHP SDK, you can use it as described in the following link :
http://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
I'm currently working on adding Facebook integration into a website of mine via the PHP SDK. I'm requesting and planning to use the offline_access permission so I'm storing the access_token in a database. However, I'm giving the user the option to remove the integration with Facebook after they add it and therefore then removing this access_token from the database. This is where the issue comes in:
The first time they add the integration, my app redirects to Facebook correctly and asks for the permissions, etc. Then, however, if they remove the integration and then re-add it, it doesn't ask for the permissions again (which makes sense since those permissions are still technically given to my app on that user's profile unless they went into Facebook and manually deleted them).
My question is if theres a way to tell Facebook to remove my app and its permissions from that user's Facebook profile so that if they go to re-add the integration, they are once again prompted to accept the permissions.
Perhaps something like $facebook->expireAllAppPermissions() I guess.
You can issue an HTTP DELETE request to /PROFILE_ID/permissions to revoke authorization for an app.
this is because you are just deleting access token from your data base , it will not remove your app from user profile. user is still authenticated with your app. he has to remove the app manually.