Currently I'm using the iOS api to get the access token and passing it to a webview as a cookie. In the webview (because part of my app is iOS and the other part is html5 but I don't want to make the users log in twice) I'm grabbing the access token on the server side.
I'm setting the access token (using the Facebook PHP SDK) with the setAccessToken() function but immediately after, when I call getUser() I'm always getting 0 back.
I know that the SDK in general works as all of the code I am using is working for the normal "web" version. Other people seem to have gotten this working so I'm hopeful that this is actually possible. Been stuck on this for a while so would greatly appreciate any help / advice on getting this working soon! Thanks!
In all my code, I now do not do "getUser" to find if the token is valid, but a "/me" call. getUser() often fails where "/me" works. So you're not alone with that finding. Then I get the userID from the /me call instead. All wrapped in try/catch, of course :)
Another tip: you say you're passing the session as a cookie - hopefully that's a cookie that you control? In my experience, don't mix "cookie" and "not cookie" mode - if you've manually handling with get/setAccessToken in one system, then turn off cookies everywehere (webview, php server, Javascript etc). After this, I've not had problems passing the tokens in what I'm trying to do.
Another thing to watch for, if you "setAccessToken" and it's invalid, the PHP SDK will clear out your session valiables if you have any. Not just PHP session variables, but all of them.
And finally, I've also had /me return logical values, but with things like FirstName as blank. Not ironed out why this happens, yet (and probably never will), but something else to program for when sharing tokens.
It's Facebook. Never meant to be easy {grin}.
Hope that helps.
Related
I'm trying to implement login and registration on a page using the Facebook API for both JS and PHP SDK 4.0. The 4.0 SDK seems relatively new and have changed a lot in recent time. There aren't a lot of answers out there. The documentation also seems pretty poor.
I already have a page with standard login using php/mysql. This will just be another option of login/registration for users.
After a couple of years just reading on Stackoverflow, this is my first post. Sorry in advance if it's in some way inadequate.
This is how I figure I would like to set this up:
A Facebook-button next to the login with a JS Facebook-login dialog connected to it.
If the user authorizes: send the result with an ajax-request to a php-page
Use FacebookJavaScriptLoginHelper to set up a session.
Get a long life access-token with getLongLivedSession.
Make a request for /me. Check if the email for this account is already a user on my site.
If not already a user: Ask for a username, register the user with info from Facebook.
Connect the account by saving the internal userid and the access-token in my database
Questions so far:
Am I supposed to send the token with my AJAX-call from the client, or would this be a security risk? I could just fetch the token with the PHP SDK instead.
Should i store the token with $_SESSION? Should I even store this manually myself? If so, is there built in functionality for this in the PHP SDK? Couldn't find any.
When a user has gone through this process I want to be able to check server side directly on page load if the user has authorized my app (and is logged in on FB).
Am I supposed to acquire the access-token using $_SESSION, or is there functionality for this? Isn't there any built in functionality to do a standard check if the user is authorized already?
When doing this in PHP, should I use the FacebookRedirectLoginHelper? Seems a bit odd since I'd never want to redirect with PHP, when my login dialogs will be with JS.
Maybe I've gotten the gist of this all wrong. My main concern is if I really would have to be storing the token with $_SESSION. I've seen a lot of people doing it in tutorials, but found nothing about it in Facebooks docs.
Thank you for your detailed post. Not a lot of people put so much effort in their first post ;)
The token you refer to is automatically stored in the cookie by the JS SDK. You can instantiate a session on the PHP side in the following way:
$js_helper = new FacebookJavaScriptLoginHelper($app_id);
$session = $js_helper->getSession();
Or: https://developers.facebook.com/docs/php/FacebookJavaScriptLoginHelper/4.0.0
You don't have to store the token by yourself, since it's already stored in the cookie.
Does this make the situation more clear?
Today, after we migrated to the new members permissions api, everything goes wrong.
Im using the cosumer key and secret that i've got from the linkedin api dashboard itself with the oauth token and secret as well.
There is 3 kind of problems that keeps on coming:
first one:
{"errorCode": 0,"message": "Could not find person based on: ~","requestId": "7GPT96SW3C","status": 404,"timestamp": 1369827647671}
second:
<error><status>401</status><timestamp>1369826490661</timestamp><request-id>ZYWPUD43G3</request-id><error-code>0</error-code><message>[unauthorized]. The token used in the OAuth request is not valid. ******</message></error>
third:
com.linkedin.anet.auth.pub.ANetAuthException: other: anetID=*****
has anyone got some of these too? if yes, so how did you solved them?
thanks!
Once you have authenticated the user, you no longer need to make the access token calls - simply store the access token and reuse that for the subsequent requests.
Check are you sending a request once or twice for authentication, there may be the case your token getting replaced by another request.
I've gotten the "401<" and fixed it by correcting the URL which I was formatting incorrectly and consequently requesting a resource that did not exists (reported as unauthorized). You probably have the same issue with your 404 error. Can you please post the specific URLs you are using. That would give a little more insight. Also, make sure that you are not passing params via GET when you should be passing them via POST and that all your POST requests are via HTTPS
I have made a custom ajax script to parse the JSON returned from the facebook graph API feed.
I have come to terms with the fact that the access token expires, so in order to get another one I can make a request to
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECURITY
where APP_ID is the app id and APP_SECURITY is the app security values registered with my facebook app development account.
However I'm worried, because I'm making these requests via ajax, therefore anybody with basic chrome/firebug knowledge could access my app_id, app_security and access_token variables (from now on known as 'The Variables') held within my javascript file.
I am unsure as to what users can do this this kind of information?
Does the access token provide purely a read-only JSON output of my facebook page? Or can this information be used for more malicious purposes?
Now: before anybody replies saying that I should use php to get fetch the JSON and parse etc... I cannot, because the customer requirement is to use ajax, for the obvious asynchronous benefits.
If the variables pose no threat to my facebook account and can be only used for read only purposes, then I'll get on with my programming!
If however they must be kept secure... How can I securely pass the variables to javascript in order to keep the variable hidden?
PS. I already have pre-written php scripts to attain the variables. Just after a method to keep them secure when passing to the javascript (if necessary)
Thanks
Alex
As Commented, Never Display APP_ID and APP_SECRET publicly.
Read This. You will find out a way to automatically find your access token using php.
Using this php file, make an ajax call to it, and it will return your new access token.
I've been playing around with the Facebook PHP SDK for a site that I'd like to use Facebook's single sign in for. I've been able to login to my Facebook account from my site and successfully tested a few of the features (posting to /me, an FQL query etc.).
When generating the login URL I have set the cookie parameter to true, however I seem unable to establish a persistent session with Facebook. At the moment the Facebook login window redirects the whole website (I have not yet tested this within the webpage or a popup). The user can authorise and is returned to my site, but the session data is stored in a query string on the return URL. If this string is removed the user must reauthenticate.
Previously I have worked with the JS SDK and this has not been an issue. It's worth noting in this case that I am avoiding using the FBJS (because I believe the PHP SDK is an alternative) and FBML (because it is deprecated) - I also have not implemented a cross domain communication file as this appears to be unnecessary.
I have read about conducting the authentication within an iFrame. I'm unable to find any documentation about this though.
I have considered storing the $_GET querystring in a session on my site and appending it to the website URL, or an iFrame URL, when I need to authenticate. I'm certain that this is the incorrect way to achieve what I'd like though.
Please could someone point me in the direction of some documentation regarding this. Perhaps I am mistaken in thinking I can do this without JS, or maybe I need to manually set up the session cookie? I've searched at length but have been unable to find any documentation that describes this specifically.
Thanks for any help!
I'm using Facebook's PHP SDK, and it's been great so far. However, I have a weird issue on one page. On this page, I make a call to the graph API, then later a call using FQL. On the second call, however, I get an "Invalid OAuth 2.0 Access Token" exception. Why would the token become invalid while the first call worked? I also use FQL (same exact query/code) elsewhere in my site, and it works just fine. Does anyone know what would cause this?
Update: First call is a graph call (/me?fields=email).. second is querying for current user's affiliation, if that helps.
Could be one of several things, but if I had to hazard a guess, I'd say that you're trying to access something out-of-session, and your oauth token doesn't include the offline_access permission for the resource being accessed.
Perhaps some more detail about the nature of your API calls/FQL queries would help us narrow it down.