I'm getting an application api key with this request:
GET https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
I want to create notes on a user page but it fails. I'm sending a post request with subject and message to:
https://graph.facebook.com/[PAGE_ID]/notes/access_token=[APP_TOKEN]
But what i get is:
{
"error": {
"message": "(#281) Requires extended permission: create_note",
"type": "OAuthException",
"code": 281
}
}
With an user api key with all permissions, i was just sending a request to /accounts/, then getting the page key and I was able to create notes. But I am confused about application keys. Maybe i just need additional permissions but i don't know how to do it.
This is how the application looks in user's App Center:
Any ideas?
P.S.: the reason i use an APP key is that it doesn't expire. Simple user keys expire in about 2 hours.
You can not ask for permissions for an app access token.
What you want to do requires a page access token.
P.S.: the reason i use an APP key is that it doesn't expire. Simple user keys expire in about 2 hours.
As has been said here in various discussions about the deprecation of offline_access multiple times before:
Page access tokens acquired using a long-lived user access token do not expire by default.
Related
I followed MS auth flow procedure to get access token for my user
https://learn.microsoft.com/en-us/graph/auth-v2-user
I got the authorization code and use it to get the access token, now I'd like to know what organization this user relates to, so basically get the tenant ID. I did some research and found similar problem with the solution to parse the token with jwt.ms and get the information from the context of the token
How to get the organization (tenant) id from user profile using the Microsoft Graph API
However my token can't be parsed even though I can access API successfully with it, so what's wrong with the token and how I can get tenant information in this case.
EwB4A8l6BAAU6k7+XVQzkGyMv7VHB/h4cHbJYRAAAWz180lZTbJUbh6TAov+diYnFv/BAIuLw3WArAQXqP6G9ZUwSQUAyAmzwR7K5xCElA1vJMdAN/zyQ4WhG2Kf4PdztF5CrGsVL/Ne3KmAx8uu6NlmJsSCb3NlHWeJPc775Hepg7t/Twf0b/s//H8q5wS1uWI3cxo69v3Mrlxe7+9MCIyEuwl+2Zao/zO2puOwnmB3ATwi59P1t1UZuN9ABnnjW077/sdzhJztWYSUEAFkjMMibOhkGVe7kbNKqnW+aKJ5MgQ/J9jFxO+x30izhGZxRRKP4FQnW7LzI53CURXWoYF6E1EWBchrAdSeVjXU6gaacRGzenMMOWP9SbHSG3UDZgAACDrNVXGaAj+7SAJMl3SNFg0WntT4/e8Zq7wAL+41n+bRKhj6k4cs5MpCHoVdb+D4tteLULOS28dj119OlpU82YAYMMEz6HvrqisogGszHH28QZHIbYiKf3ql0mDypQoyaJFZ3s4J70PMHwLEiZQor9nE2cf2LNGRr+NRG6o5UxQx/eIkX3c2jrZmsuYaLMobTc2GriyTEtN2uznv0Ixfhe2B0lcFOHtgAyWfagyYySk3prQ06jGIe81mDvlaqzUwdN2+l6Tnc7ktZqgPvjFpCJzUe1yacYtCwU/T9sIqu7SKhNT0SLMq/GOK8VMAqJG30sRRSrl7FjUyL8CpeBZh6qKKkCXTOCA9WtkqtJrzDnQPYu3RvwGRdDnyJD3J5q72EflTn1JE+jqMbXe1oGYBMF1WObeUCuj3tX8aVzxD+JXqp+UlvdvyJbmwsge/cqWgzVbtOFk7SNSkVjaNoA2SnzprNuT9qeRsJovPyly6f+BdrfaBUxuGnq3b5FWD+TG4nbAyGWz6sk/ez5loUoJzivr0c4EYACOlqi9wfX7j/11goiM+UNxvtJ9eXCWY/ZvCO93GOrvXkgAhGFY5B7/bkLTQ4DjMJn4o13y/5HFfRF3NDVTvLR7m9eK891q4DihXu3JA0ZVlO27JS2MAwrxj5s4L2aAliPJU/IHnEXgr0Pih4UcRDjnfDVl3poz8nhjKUtoZgg7Ir059Vy76Nvb3x1XQRbsJy90emYJn5qMJB0+d9YNn/FFzuC7zWWl+8bUou8mP7f1kVEICdglwFDPqixGBJpwC
UPD
I'm on free personal MS account, the chain of calls looks like
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
teamsScope=offline_access,User.Read,Files.ReadWrite
{
"token_type":"Bearer",
"scope":"User.Read Files.ReadWrite profile",
"expires_in":3600,
"ext_expires_in":3600,
"access_token":"EwB4A8l6BAAU6k7+XVQzkGyMv7VHB/h4cHbJYRAAAR5OqwjPkutcuJ2gqMJgwv0Si4gZSYV978hSPi1z4vpbgXe4lUPNF0pR1BUY/8boa06hZnvyjhlDdMO5iNs/y0vzzXVo5AhrAogH89vxQ7k9m+G7aZpn0RsphyqyPQg27b1s8EVMaxJrDChr+zt8fTxcNnFMqXma1ycchAh6A1rZf4plTaKkHSU7q6x5zALw2JbXhKlIL+TVZFcLixzs84MP4Bc4OP/4Umhr18+lk9TkAO2jic26jkkcxJ5rl/NuKaw59dNqrfXFT51NsErdNM5AViTMjNUPSANhk1BGOLmVNUCCQkZu1KI0AdHVc+/9WjOI8Ie+ar8ib9vO8kFHlCMDZgAACPGA1GdE+yj+SAJCyS8jQBE88Phojtj+Mgjwtkaw6IByIWrTXTmEDowMRnYmgnr2FJvuHDRIlZaKnyYpJ4+BEeZBLp2Fw7BjDKCfgv2zPEIRXSZ8+VKO9BqpgfN1X3KlQrlqOO3tht6LL6Ji6t3vjJyhGocrpBQdwCeWaMBJzQkB4csMvXzyGLnJCIvY6IqMJMV/tvjJXcgrV3EJpMUoA63pPtu7d4YU2kaNMPnVRWTI2rXzSpS7Q4ztRRJadrUUOpxuOHjLECoLk1GtHHDlu1hfDNqRu9L/3rmIIz8TuoF38gwvj4hPTgXdjNh3zZDqvsK10jxj6a39u7eiy6poqvAP7G3JaBiVUGFcrA5kbcKXUT1eoQYNJGElOWOskWFBEO2h4w5d3zwu9wglFBhRhAH4YPd9d4k1LC7Jj5lxpOIGtfUNfcXjDDp2K1euuwOrhc5dW0WvUNR8Np0zSPwsrOhh9wASn4Ta2b3Z3Bn2c34jQmDxwMGGevU6a7SDDeE0QjIR0SN7kTro5cQawxJWf06JPayhK6Sx1SDMT3s1Mp5XXnB4tci2s+5MxxZ4NZduLKNJHh8+dojxHZ8KoSCYNa1NYUUAKZPG5Aao+NGAtD5uh3r58iFhAp2SHi6QH4TUyCMo1De8VXjSVS5fER8CPWBxldVrzxjMv1ffaSBphlT+ilxOJiL4IIKWkCdpru3c3J+eNrJ4N+873mLxYBRrGb+q7r4GkfdHhXyiR1eo0BD0aXOu1iBxsr7xLL00PE23quiXiV7s6GfL3ZKQ0h5jqWwcW5wC",
"refresh_token":"M.R3_BAY.CR9WAnqQDx9dzRd7Z7FrfDQMax0HCeVHW11xHOkMdnK3mGP4Pg!QcenTD3IKtJ0Tip948K!f93euTYcqyi8BOewY1ReYXRT4sOmHs!sR2290!*fez7m2xYXE8d3UHuuli2jWpXnbD*cg3l4HTpX90EoBzIg0U!soQnA5qRiHhMoBWqUnOm5Az6P6VplfNYTLnR1G0QF4yWpU4UJbDMe*kqsgf0h9dfQoyLLHYTXPnvZgkDIBlrYIAUOG7wglOFVLr!Rx9zCCvMCO13Irde*He5Uac2TKRxKHL5tzwSx1f4JlzYuEKOqt1iLOu9JHKV4SQ7zk!HjtPp4ZnxPzMPzuihFCOps*!20sm5Ux7ZARrt9OhIHicpun4uIz61VQrmXP!zqATVFohECSAh27zEZtIEDjAzSYkeAtVDzP75YnO2ARBjhNYCxbHyXww4WLhcA3CA$$"
}
This is related to your account type. If your account is a personal account, then your token is like this.
If you want to obtain a token in jwt format, you can add the personal account as a guest account to your Azure tenant. Then change /common to /tenant id.
I think you are doing something wrong. If you followed the guide, at some point you should have called POST /{tenant}/oauth2/v2.0/token which will give you an access token and a refresh token if offline access is enabled. The response would be something like:
{
"token_type": "Bearer",
"scope": "user.read%20Fmail.read",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4..."
}
Having looked at your token, it is not a valid jwt and that is why jwt.ms wont decode it. Because Graph uses Json Web Tokens(JWT), You access token should be structured as header.payload.signature. You can get more familiar Graph API Tokens here
We are trying to implement Oauth2 on our app, in our App we are login using Sign In with Google, and this returns a lot of stuff like : UID, ACCESS_TOKEN, REFRESH_TOKEN, etc.. we are thinking to send from APP to server-side the UID and store it to DB linked with user like if it was its password.
From server side we want to on each call for instance : get_products, we are thinking to use an access_token but we don't know if it's the UID from user itself or we have to create another access_token with its refres_token with expiration time. So we have one UID from user and another access_token and refresh_token from oauth.
I'm not sure about the value you refer by UID. May be it's something that I haven't come across before.
But if it stands for USER IDENTIFIER, then you should not use it to identify the end user and maintain a session. UID could be a public identifier so anyone who knows will be able to communicate to your server. Also, think about user login through multiple devices. Your server won't be able to identify the correct session.
User access_token to initiate a session. In your server, use user-information endpoint to obtain validity details and end user information. Alternatively you may choose OpenID Connect.
The questions is pretty simple.I am also a novice regarding token authentication.
I know that, in case of token authentication, in case of android apps, token is used so that the user credentials does not remain in the app.i.e. whenever the user fetches data from server, it does not send the user credentials everytime but he sends token.
When the user signs in for the first time, from the app, a token is generated from the server and is "entried" in the database beside the user data.This token is send back to the app from the server and it is this token that the user, from the app, has to send everytime it plans to fetch some data from the server.When the user has to fetch data, it sends the required parameters and with them the token.This token is matched with all the tokens present in the database.If the token is present,it also gets the user associated with that token.And as the token is present so the user session is valid and then the required data from the server is send back to the android app.
What i want to know is that what to do with the token, in both client and server side, when the user logs out?
If any doubt please comment.I know its a simple question but dont know much about token authentication.Thanks everyone for their time.
Note:- Also if any of my concepts, in the question, is wrong please feel free to correct me.
Basically all tokens have an expiry. This is intended for security purposes. But you can choose whether to set an expiry for your token. But I suggest that you must put an expiry for your token. And also delete that tokens from both server and client, and set user session to login again. Use timestamps to create the tokens. They are also useful when comparing tokens.
Happy Coding.... :-)
I want to create a tool wich allow a user to post his planning on several media at once : he has to fill a form with his establishment week planning, then I post it via newsletter, on his facebook and on his website.
I am struggling with the facebook part. I created an app and made the page subscribe to this app then I tried to use Facebook4j to post something on the page but I am not even able to get the page.
Here is my code :
Facebook facebook = new FacebookFactory().getInstance();
facebook.setOAuthAppId("{app_id}", "{app_secret}");
facebook.setOAuthPermissions("public_profile, manage_pages, publish_pages, publish_actions");
facebook.setOAuthAccessToken(new AccessToken("app_id|app_secret", null));
try {
ResponseList<Account> accounts = facebook.getAccounts();
} catch (FacebookException e) {
e.printStackTrace();
}
which always return me the error :
An active access token must be used to query information about the current user.
How can I have an active access token in order to post on pages which suscribed to my app?
NB : I am not sure I actually need an app. If there is an other way to post on multiple pages without asking for logging each time, I am ok with that too. (some kind of permanent page token maybe?)
Thanks!
Okay first, yes you need an app to perform these requests.
To get what you describe you are requesting the permissions needed correctly, you still miss one - namely pages_show_list.
In addition you have to set the OAuthAccessToken to the users token not to the app token.
I'm developing an app that uses OAuth to authenticate.
The problem is that when I try to get the access_token from facebook with passport.js (node.js) I get something different that when I try to get it with Scribe on Android. Is there any reason?
When I try with twitter the access token are the same and I can match users....
Thanks!
Unless I misinterpreted the question, you can use the "id" field in the response from FB to detect whether its the same user or not (regardless of which API/language you end up using). These IDs are unique per user and should allow you to detect whether the same user logged on via Android (Scribe) or passport.js (node). Hope it helps