This is my first question here, so apologies if asking something trivial - though I didn't find an answer after an hour of digging.
I have a PHP website which needs to connect with a Facebook page in the following method:
On certain triggers, the site needs to post to the page's wall as the page itself. This has to be done automatically, even if no user session is available (e.g. if someone uses the site without actually having a Facebook account).
I found solutions using extended token expiration times (offline access), but in those cases, the post will always appear as the site admin (me, in this case). However, I need the post to be written by the page. When using Facebook as the page, I have no right to request an offline access token.
Is this even possible at the moment?
You need to cache the page access token on your server and use that to make the updates - the page login is pretty well documented here: https://developers.facebook.com/docs/authentication/pages/ -
Store the access_token in your server-side code and use that token to post as the page - the page access token won't expire if you have a long-expiry access token for the page admin, unless the user stops being an admin of the page, removes the app, etc.
Related
I've searched a lot and I see that offline_access on fb is deprecated. So, I have a website hat needs to Post a photo at the Client's wall (Post at site and Facebook too), but I want to store the login data (via token or something like that), I read here that I can't store it.
There is another way to post on wall or my client will need to Post manually on his fb?
Edit: My website is in one server, the admin is in another server, I'll make a call from admin server to site in a page that stores login information (if it's possible) and post on his wall a photo.
Thanks
Note: I've searched a lot since yesterday I didn't found anything like that, if you have a similar post with the answer please let me know.
If you have the user's access token you can use that token to perform activities on his behalf.
But the point here is- this token expires in 2 hours. But, you can extend this token upto 60 days. But after that, user needs to visit your app again to get the normal token again and you can then refresh that token to extend its validity again.
You can read Expiration and Extending Tokens section in this doc: Access Tokens
(Just a suggestion) What you can do anytime user visits your app, extend it save on your server. So, the token wont expire until and unless user didn't visited your app for 60 days. And when you are close to 60 days send him some notification.
Firstly I am aware that there are a million questions similar to this, but they are all either out of date (Facebook has changed and the instructions no longer work) or don't explain how to do specifically what I am asking.
I'm trying to register an app on Facebook so that I can autopost to the company Facebook page, of which I am an admin.
I'm trying to do this via PHP, with which I have considerable experience (PHP, not Facebook API.)
So far I have registered as a Facebook developer, made a Facebook app, got the appID and secret word, and downloaded the facebook-php-sdk from Github. I have attempted to follow a couple of tutorials but the Facebook developer/app pages have all changed and so the intructions are now invalid.
All I want to do is to be able to post automatically to my page's wall from the server via PHP, as if I posted the status update myself as the page admin. I don't understand how or why this is so difficult.
The Facebook app page has a million settings that I've never heard of and don't seem to be related, then there is no information that gives any direction to do what I want to do.
This is about as far as I've got and I've hit a wall. No idea what to do next. Facebook keeps asking me "Select how your app integrates with Facebook" but their options don't appear to include what I want, which is just to post on my own page. I don't appear to actually be able to use the app yet, as there are various settings its insisting on, like "Canvas URL", which I do not understand, etc. and then I obviously need to set permissions, yet I see no way to do this either.
What do I do?
Setting up an app
You are going to need to authenticate the user who has at least content creator rights on your page. So you need to choose 'Website with Facebook Login' and enter your website url.
You'll also have to enter the domain (website url without protocol)
Keep it in sandbox mode while you test it you can edit that later.
You don't really have to worry about other settings as the permissions to ask can be added directly in your php code.
"Online" Access
To logging and post directly to facebook you'll need to retreive an access token
Getting an access token
Here is a basic run down:
Get user to login and allow app with appropriate permissions (manage_pages, publish_stream) if he hasn't
Retreive user access token
Query /me/accounts with user access token to get the page id & access token
Then all you have to do is make your API call with id & access token to post on facebook
"Offline" Access
In order to post without having to logging (usefull if you aren't the only one posting) you need a permanent extended token. So you basically should have a separate script that you'll run once to retrieve that extended token and store it.
Getting an extended access token
To be able to post without the user being logged in you need a permanent access token for your page.
Here is a basic run down:
Get user to allow app with appropriate permissions (manage_pages, publish_stream)
Retreive user access token
Change user access token for extended user access token
Here is how I do this step (you could also use curl)
$token_url = "https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUT_APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=OLD_TOKEN";
$accessToken = #file_get_contents($token_url);
Then
Query /me/accounts with user extended access token to get the page
Change page access token for extended access token (same code as
above)
(The last step shouldn't be necessary according to the doc as you should get an extended page token when you query /me/accounts with an extended user token but in my case it didn't work)
And you get a permanent access token that only expires if the user changes password or disallows the app. All you have to do is store it with the page's id and retreive it wherever you need an API call to post to facebook.
The php sdk is pretty well documented so you shouldn't run into any problem a google search can't fix. Look for post september 2012 threads the flow hasn't changed since neither did the php sdk much.
I have been working on a Facebook application from last year. It was working good before the Facebook December 2012 changes. But now I'm getting an issue with a Facebook session.
I have replaced the old SDK with the new SDK, where it is written:
Avoid trying to reuse spent authorization codes
So when an authorization code is spent, the user session expires from my site. (I get authorization error after that).
The user gets logout from my application every 5-6 minute, so I have to redirect the user to loginurl again and page refresh and this is not good for my site, because I'm using an Ajax call on all links.
I have seen some applications which work good after December changes also. (for example, Wrapp.com). Wrapp.com doesn't redirect the user after authentication code expiry. And I can make a post on Facebook without redirect using Wrapp.com after 10 minutes of login too.
How does Wrapp.com handle authentication? What is the solution?
You have two ways:
You can extend the user access token using the scenario 4 tip described in Removal of offline_access permission.
In my case, I set my application as Desktop, so I have a token that expire in 90 days:
Avoid expiring a session with Ajax and Iframe pages using the PHP SDK.
After much research and testing, using PHP SDK "3.2.2" with in an iframe or an Ajax page that is loaded with canvas or page tab, will clear the session for the application if the called page is loaded more than one time.
EXAMPLE:
Your page tab loads an iframe inside its self containing PHP SDK, and your user interacts with the iframe. That iframe upon the second page load will clear the current application session.
SOLUTION:
Remove PHP SDK from Ajax and iframe pages in your application and use cURL instead.
If your iframe page inside your application requires user authentication information, it is suggested to created a cookie or session upon the user landing on the page tab/ canvas or upload the user authentication. Use this switch content where the user is required to view or interact.
I'm working on a facebook app using php sdk. I have one small problem with my app, after the user has logged into my app, if the user logs out of facebook from a new browser tab,after which any action on my app should be redirect back to login page saying user has logged out. but in my case my app is still working, even though he was logged out .so can anyone help me on this.
Note: I'm not using any logout URL in my app page. I can directly destroy the session by calling $facebook->destroySession(), but I don't know how do I conditional do it,since I can't know when the user logs out of facebook(opening in new browser tab)
If I logout from Facebook, while my app is running in an iframe, in another tab, I get a modal dialog "Login to Continue" served from Facebook. (using chrome)
If the same App is running outside Facebook (no iframe) in another tab, and I logout from Facebook, my App detects that the Facebook session is ended.
That's because I check on every page load if there is a valid Facebook user ;-)
My guess is that you don't check on every page load if the user is logged in.....
(or you have a funny browser that does not share cookies between tabs or something)
I have the exact same problem. I could not found a way to detect if the user is logged in using the PHP SDK. However, when I combine the JS SDK, it can detect the session and set's the cookie correctly. Then I pick the cookie/session using the PHP SDK.
Be careful if you use my solution. Using the combined JS and PHP SDK, the AccessToken seems to lose it's persistence. the problem I have is getting the following error:
OAuthException: An active access token must be used to query information about the current user.
After reading, I discovered that this was a but that got fixed on pull 48 of the SDK:
https://github.com/facebook/facebook-php-sdk/pull/48
That partially helped but now I get this error:
OAuthException: Error validating access token: Session has expired at unix time
Summary: The combo SDK seems to work for solving your problems but the API obviously behaves buggy. I'm continuing my research and will post when I get resolutions.
Looking forward to hear what others have done to solve this matter
My goal is to use Facebook Login on a website with as few api calls as possible. I don't want to use any server-sided facebook api call on sites that don't interact with facebook at all. That means I only want to use api calls for logging in and publishing things. However I don't want to use Facebooks offline_access permission flag.
Here are some thoughts:
Use own sessions for the site instead of relying on Facebook sessions. So a user stays logged in even if the Facebook session token is expired. Otherwise the user will be logged out as soon as the token is expired and needs to click login again to get a new token or Facebooks JS SDK will auto-login but this still isn't perfect because the user will see the page in "logged-out state" and it will refresh as soon as the JS SDK got a new token. No-JS users have to click the Login button again.
Cache Facebook user data in database or memcache. Use Facebook API Subscription to keep the database updated. -> No need to ask the API for changes in the user's Facebook profile.
Problem:
While using own sessions the Facebook session token might be expired when trying to publish sth. on Facebook. So you have to abort the current script and get a new token by redirecting the user to Facebook or using the JS SDK. Then continue the script. This is pain.
My thought on how to solve the problem:
Instead of publishing things on Facebook using PHP you can also do this in Javascript. If the token is expired just get a new one using JS which does not require the page to be reloaded nor the page to be redirected to Facebook. However I want to support users with disabled Javascript and then this is not possible.
In my opinion the only useful approach is to use own sessions with cached user data and keep the people logged in even if the Facebook token is expired. But redirect them to Facebook and back as soon as Facebook interaction is required. This way the user won't see the page in "logged-out state", no Javascript is required and the user will be only redirected to Facebook Login if it's really needed. For Javascript users the Facebook JS SDK will renew the token (which is then stored in a cookie) without the user noticing this as the user is still logged in (using the own session handling).
What do you think? Is there another (better?) approach to do this? My last point quite seems doable but isn't there an easier way? Thanks.
I had this exact same issue when creating an authentication system for my website. Like Elad Lachmi said, you can run FB.login on each page load - but this will cause a quick popup flash (gets very annoying).
My solution actually ended up requiring me to use offline_access. It seems that there is just no other appropriate way to keep the user logged in if they leave your site for a couple of hours.
Here's the (potential) catch:
Log the user in via Facebook without offline access
On each page, use jQuery to write an iframe to a specially formed URL which uses FB.getLoginStatus, and set it to refresh every 15 minutes
This combination should, every 15 minutes, fetch the most up-to-date user session ID from Facebook. It will cause it to be updated when it is close to expiration.
Please note that I haven't tried this, and it may be against the Facebook ToS. But it is really the only solution without using offline_access if you want to keep a user logged in for more than 2 hours without requiring them to refresh a page.