I'd like to use the Facebook graph API to search for Facebook groups by keyword. I've used
search?q=keyword&type=group
in the graph API explorer and it works well, however it requires I generate a user access token. I've also read the below on the facebook API documentation
"There is another method to make calls to the Graph API that doesn't require using a generated app token. You can just pass your app id and app secret as the access_token parameter when you make a call:
http://graph.facebook.com/endpoint?key=value&access_token=app_id|app_secret"
However when I try this method it errors out with
"{"error":{"message":"(#200) Must have a valid access_token to access this endpoint","type":"OAuthException","code":200}}"
I cant understand why this needs a user access token. The search I want to perform has nothing to do with any users I just want a list of matching groups.
How can I perform this search as my facebook app from my server?
According to the specific search documentation, you need a User Access Token.
https://developers.facebook.com/docs/graph-api/using-graph-api/v2.2#search
All Graph API search queries require an access token included in the request. The type of access token you need depends on the type of search you're executing.
Searches across Page and Place objects requires an app access token.
All other endpoints require a user access token.
Related
What I want to achieve
I want to display posts of a public facebook page on my website. For that reason it does not make sense to use a user access token, since it requires a login.
Possible Solution I found
I know you can use the App Tokens. There was a related question on Stackoverflow. I tested this using the Graph API Explorer.
https://graph.facebook.com/v2.3/google/statuses
returns: (#100) Requires user session
https://graph.facebook.com/v2.3/google/posts
returns: a valid result, but a totally different result than the same request with a User Access Token (less posts). same request for nike delivers a better result.
Questions
Why does the same request deliver two diferent results?
Can you only grab certain posts with the app token?
Under which conditions can you get the full timeline without user access token?
It's all in the docs. There's a fundamental difference between posts and statuses, and the permission requirements are also well documented:
https://developers.facebook.com/docs/graph-api/reference/v2.3/page/feed#readperms
https://developers.facebook.com/docs/graph-api/reference/v2.3/status
*
Quotes:
An access token is required to view publicly shared posts.
A user access token is required to retrieve posts visible to that person.
A page access token is required to retrieve any other posts.
So before I start, I'm a bit of an OAuth2 newbie, so still trying to really wrap my head around the various permission scopes and grants.
I've managed to successfully implement an OAuth2 server using the Laravel OAuth2 Server package.
The current site I'm working on will simply dogfood from the API, using the client_credentials grant type. I've managed to get this successfully working and can make API calls with the provided access token.
However, I'm wondering how I can implement an architecture similar to Instagram, Soundcloud, etc, who don't require an access_token for basic endpoints, just a client_id. How do they do this? Is this a custom grant type?
Preferably, I'd only like to start requiring an access token when accessing private resources, such as those for modifying user information, etc. As far as I'm aware, for these I'd need to use the password grant type, which isn't a problem.
OAuth has a few flows such as 2-legged or 3-legged which basically tells the developer how many requests he needs to make to the server to get the resource he wants.
For example, in a 2-legged flow you send a request with your id and secret (first request), you get back an access_token and using that token you can make other request for the resource you want (second request).
Comming back to your Instagram example, you can think at using just client_id as a 1-legged OAuth flow, because you make only one request to server to get the resource you want.
You can use such a flow for less sensitive resources, like a profile photo or user's nickname for example.
The implementation of a 1-legged flow is simple:
- If the user_id is valid and the application doesn't need user approval to access requested resource, go ahead and show the resource.
So implementing a 1-legged flow consists in checking if the client_id is valid and checking if the requested resource needs user permission. That being said, you can use 1-legged for requesting a user profile photo, but you can't use the same flow for requesting the user's private messages.
You can read more about each OAuth Flow in The OAuth Bible.
You have two different resources on your server - a) Resources that need some access checks b) Resources that are publicly accessible.
Actions on resources that need access checks should require that a user has been identified via the OAuth header in the request. In the context of Laravel - this would be a route with the 'before' key specified as Oauth.
Actions that do not need access could glean context about what user is relevant by building your routes to accept an argument that gives you context about the user. Let's say that you have a profile that a user can see without any sort of access. Your API endpoint for a JSON representation of that could be /api/profile/[user_id], where [user_id] is the ID of the user profile you would like to see. For these routes where you do not care about access, you can leave off the oauth before filter in your route declaration.
My goal is to search all users matching a specified name without the need for the user to be logged in with facebook. To accomplish this I did the following:
I created a Facebook App.
By using PHP I obtained the App access
token.
The problem is when I execute the api call:
"search?q=$name&type=user&access_token=$app_access_token";
I get the following result: "(#200) Must have a valid access_token to access this endpoint"
The question is, can I search users matching a specified name with my App Access Token or do I need a User Access Token?
You need a user access token (can be you as a user).
The new Facebook PHP-SDK have a getApplicationAccessToken method, which is the join between your [appID]|[appSecret].
I usually use a request from graph with this url https://graph.facebook.com/oauth/access_token and turn out have a different value from the first.
Both access token can access the app detail by using this request
https://graph.facebook.com/[appID]
So which one should be use???, its confuse me, I would rather to use the first one, bcoz it doesnt have to make a graph request but can I do that or should I???
According to the instruction given here searching public information (as https://graph.facebook.com/search?q=QUERY&type=OBJECT_TYPE) needs to have a valid access token. As I know access token is when a user authorized an apps to access his information; but this is searing the public information. How to get an apps access token to search public information?
In that page, facebook automatically add my access token to the link as
https://graph.facebook.com/search?q=watermelon&type=post&access_token=MY_ACCESS_TOKEN
I created an access token by my apps as https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=SECRET_ID&grant_type=client_credentials
When I use the generated access token in url https://graph.facebook.com/search?q=watermelon&type=post&access_token=GENERATED_ACCESS_TOKEN, it gives an error
{
"error": {
"message": "A user access token is required to request this resource.",
"type": "OAuthException"
}
}
How can I generate access token by my apps?
Or do I need to generate access token by own user account? if yes, how?
Since it is searching public profile, facebook should not need authorization on every search, can I generate a permanent access token to perform different searches?
The Graph API Search interface has changes pending with the Q3 2013 migration.
The following change will go into effect on July 10, 2013:
Graph API search changes
App access tokens will be required for all search Graph API calls except Places and Pages. Search for application will no longer be supported.
https://developers.facebook.com/blog/post/2013/04/03/platform-updates--operation-developer-love/
For searching the facebook graph API using
http://graph.facebook.com/search?q=watermelon&type=post
you need a valid user access token. A user access token is different from App Access token. A user access token is created when a user authenticates your app with different access permissions which is generally close to 212 letters long.
A changes was made in the graph API in July,2013 whereby you will need to have a valid user access token to search for users and posts. The user access token could be generated by you yourself authenticating your app and generating an user access token for your app.
But the question remains, How should we generate a user app token for our apps without making other users to authenticate our apps?
The access token you are requesting looks like an 'application' access token. This token differs from a 'user' or 'page' access token and is used for different things.
https://developers.facebook.com/docs/howtos/login/login-as-app/
This can be used to modify the parameters of your App, create and
manage test users, or read your application's insights for example.
App access tokens can also be used to publish content to Facebook on
behalf of a person who has granted a publishing permission to your
application.
Depending on what you are trying to actually do, an application token might be the wrong form of OAuth. Your example (searching for public posts with the term watermelon) doesn't require an OAuth token, so you're obviously trying a different type of graph search. Without saying what you're actually trying to access, it's impossible to actually advise you correctly.
However, I'm going to guess that you're trying to get access to graph objects that require permissions from a specific user. If that's the case, then you need to get permissions from that user first, by requesting the scope of permissions that you require.
Process of gaining user OAuth Access Token (https://developers.facebook.com/docs/reference/dialogs/oauth/)
Possible Permissions (scope) that can be requested (https://developers.facebook.com/docs/reference/login/)
This will give you a short term access token for that user, which will allow you to anything within the scope of permissions for which you've requested permission.
This token will only last for a short period after the user has logged into your app. It can also be promoted to a longer term access token
https://developers.facebook.com/docs/howtos/login/extending-tokens/
You don't need to pass any token to search in public information (unless you want to search in user's context). Just make a call to the following url and see the URL. Please mark that I have used http instead of https.
http://graph.facebook.com/search?q=watermelon&type=post
But to make my answer more clear - with properly granted access_token I can make a call to the https version of the above url (https version requires an access token) and it just works fine without any problem.
If you are searching programatically and the search URL will never be visible to the end user you can use this instead:
&access_token=app_id|app_secret
More about this here: https://developers.facebook.com/docs/facebook-login/access-tokens/