Facebook Graph API — getting access tokens
As described in the documentation it’s a fairly easy process — and it does not require any signatures.
For example, I have an application with an id 116122545078207, and I am using the URL of this blog (https://benbiddington.wordpress.com) to collect request tokens.
[update, 2010-04-29]
If ever there was a lesson to read specification and documentation carefully, this is it. Thanks to comments from Joshua Inkenbrandt, Alex and Gene Leybzon I realise why my examples don’t work as expected: I have been trying to use a mixture of web server and client_cred authentication flow.
As Gene rightly points out, I should have been using user_agent.
User-Agent Flow (with a web browser)
Following the instructions as specified in section 3.5.1.1., Client Requests Authorization, of the specification, this is a one-step process:
Open this in a browser:
https://graph.facebook.com/oauth/authorize?
type=user_agent&
client_id=116122545078207&
redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
scope=user_photos,email,user_birthday,user_online_presence
Note: there are several options for scope. These are called extended permissions.
Note: unless you specify offline_access, your tokens will expire as soon as the user signs out of facebook.
Note: client_secret is not supplied:
[3.5.1. User-Agent Flow] This user-agent flow does not utilize the client secret since the client executables reside on the end user’s computer or device which makes the client secret accessible and exploitable.
You’ll be redirected to:
https://benbiddington.wordpress.com/#access_token=
116122545078207|
2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
QXlU1XfJR1mMagHLPtaMjJzFZp4.
And you have your access token, you can go ahead and use it:
https://graph.facebook.com/me?access_token=
116122545078207|
2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
QXlU1XfJR1mMagHLPtaMjJzFZp4.
According to section 3.5.1. Client Requests Authorization, because we have not supplied the optional secret_type:
secret_type
OPTIONAL. The access token secret type as described by Section 5.3.
If omitted, the authorization server will issue a bearer token
(an access token without a matching secret) as described by Section 5.2.
we have been issued a bearer token.
I think this refers to OAuth 1.0-style authentication using token secret. You’d only need one of those if you were requiring signed requests. This seems to contradict the part above about storing client secret on user agent.
Refreshing tokens
Section 3.5.1 describes that the access token may be delivered with an optional refresh_token fragment. On expiry, this token can be exchanged at the for a new access token. No refresh token is supplied by the Facebook API under User-Agent flow, meaning you’ll have to ask users to sign in again.
Using access tokens
Tokens with no session part
In some cases, like when using 3.7.1. Client Credentials Flow, you’re issued a token with a missing session part.
Instead of this:
116122545078207|
2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
EyWJJYqrdgQgV1bfueck320z7MM.
you get this:
116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
These do work in some cases, but are rejected by some resources, for example:
https://graph.facebook.com/me?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
returns error:
{
"error": {
"type": "QueryParseException",
"message": "An active access token must be used to query information about the current user."
}
}
this is the same error you get when you request the same resource without supplying a token at all:
http://graph.facebook.com/me
Note that these tokens do work against real resource identifer, i.e., without the me alias. For example, here I can use it against me (benbiddington).
https://graph.facebook.com/benbiddington?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
So the me alias only works in the case where we have a full token — the session part is required.
These tokens also work for accessing your insights (see analytics section):
https://graph.facebook.com/app_id/insights?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
This is described in section 3.7. Autonomous Client Flows:
Autonomous client flows are used to grant client access to protected resources controlled by the client (i.e. the client is the resource owner). For example, these flows are useful when a service provides both client-specific resources in addition to end user resources.
And more specifially, the Client Credentials Flow is described in section 3.7.1:
The client credentials flow is used when the client acts autonomously without acting on behalf of a separate resource owner. The client secret is assumed to be high-entropy since it is not designed to be memorize by an end user.
Where a client is:
An HTTP client capable of making authenticated requests for protected resources using the OAuth protocol. [This is third-party application that wants to access a resource owner’s Facebook account.]
And a resource owner:
An entity capable of granting access to a protected resource. [This is the user who owns the Facebook account.]
[TBD: So what?]
Tokens, sessions and that
You can see more information about authentication flow by using a bogus redirect_uri, i.e., one that does not match the Connect URL setting in your application, e.g.:
https://graph.facebook.com/oauth/authorize?
client_id=116122545078207&
redirect_uri=http%3A%2F%2Flocalhost&
scope=user_photos
Executing this gives error:
{
"error": {
"type": "OAuthException",
"message": "Invalid redirect_uri: The Facebook Connect cross-domain
receiver URL (http://localhost) must have the application's
Connect URL (https://benbiddington.wordpress.com) as a prefix.
You can configure the Connect URL in the Application Settings Editor."
}
}
But there is some information in the query string, that when decoded looks like this:
https://graph.facebook.com/oauth/authorize_success?
client_id=116122545078207&
redirect_uri=http://localhost&
scope=user_photos&
type=web_server&
perms=user_photos&
selected_profiles=500880518&
session={
"session_key":"2.vHAZRg0Ac4Dtzm2xiVwXoA__.3600.1272286800-500880518",
"uid":500880518,
"expires":1272286800,
"secret":"vHAZRg0Ac4Dtzm2xiVwXoA__",
"sig":"7a6fc887240884de883a21e2a2aec3e0"
}
That session_key:
2.vHAZRg0Ac4Dtzm2xiVwXoA__.3600.1272286800-500880518
looks familiar, it’s the same as the code parameter used in web server authentication flow (Section 3.5.2), and it’s the same pattern as the second segment of an access token.
2.{secret}.3600.{expires_at_seconds_after_epoch}-{user_id}
Where are my extended permissions?
It appears there is some problem with authorizing extended permissions.
For example, when I use the link in step (1) up there, I am prompted with the following screen:
That looks like the set I asked for, and so I select Allow.
But when I then inspect the extended permissions in my Application settings, all I see is this:
For some reason the only extra permission I have is email. And actually, did I even ask for Publish recent activity?
What is wrong here?
Troubleshooting
I can’t see my application in my Application settings screen
Make sure to choose Authorised from the show list on the Application settings screen.
The default view is Recently used which — certainly in my case — does not produce my application.
How do I know what permissions my application has?
Once you find the application in your Application settings list, press Edit settings and then select the Additional Permissions tab on the resultant dialog.
How do I de-authorise an application?
From your Application settings list, press the “x” button the right end of the row next to Application Profile link.
My access tokens only seem valid while a user is signed-in to facebook
You need to request offline_access permissions, e,g,:
https://graph.facebook.com/oauth/authorize?
type=user_agent&
client_id=116122545078207&
redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
scope=user_photos,email,user_birthday,user_online_presence,offline_access
otherwise your access tokens will expire as soon as the user signs out and you’ll get (at least with client):
{
"error": {
"type": "OAuthException",
"message": "Error processing access token."
}
}
Ben Biddington 
I’m receiving the access token by including only the type andclient parameters in the https://graph.facebook.com/oauth/access_token? request.
In my mind the code parameter should also be required. Does anyone know how oauth 2.0 works?
Alex
23 April, 2010 at 20:56
Read the OAuth draft on that link up there
benbiddington
23 April, 2010 at 20:59
I am getting the same access_token for different users and the error although the code is different then I got this error :
“error”:{“type”:”QueryParseException”,”message”:”An active access token must be used to query information about the current user.”}}
Any ideeaes
Daniel
24 April, 2010 at 19:25
Thanks for the type=client_cred note, that got me past the /authorize stumbling block. However, the access_token returned, when used, doesn’t seem valid. I get this returned when I do anything:
{
“error”: {
“type”: “QueryParseException”,
“message”: “An active access token must be used to query information about the current user.”
}
}
Any idea where I should look to try and figure out what I’m doing wrong?
Alex Cook
24 April, 2010 at 20:05
Looks like a lot of us are having access_token issues – few posts on stackoverflow etc about it…
Alex Cook
25 April, 2010 at 14:19
Yeah, I am not finding the Facebook documentation very helpful either, and it does not seem to match the OAuth 2.0 specification cited.
benbiddington
25 April, 2010 at 16:35
Hello. He has been a great help your example. But I have a doubt. If users not allow the application, Facebook get this message:
{
“error”: {
“type”: “OAuthException”,
“message”: “Invalid session key”
}
}
Do you know why this error occur?
How i can redirect users to another different page if this don’t allow the permissions?
Thanks.
David
26 April, 2010 at 13:47
I’ve found the solution. I have to add the GET variable “cancel=url” in the url.
David
26 April, 2010 at 18:21
I have the exact same problem right now.
Would you please care to explain your solution a bit more?
Thank you!
Filip
28 April, 2010 at 10:25
From what I can tell, the “QueryParseException” only happens when you’re trying to get the active user (using http://graph.facebook.com/me?access_token=…). If you use the username or ID it works.
Which kinda sucks, because you have no way of knowing who the active user is. Hope that helps.
Joshua Inkenbrandt
26 April, 2010 at 16:18
Like this you mean?:
http://graph.facebook.com/4
benbiddington
26 April, 2010 at 16:31
Yeah, if you use their ID it should work, it’s just when you’re accessing using ‘me’ that you’ll get the “QueryParseException”.
Like you pointed out earlier, the access_tokens of facebook’s docs are very different than the ones returned by OAuth. I just can’t figure out if there’s another param we should be passing to get that type of access token, or if it’s just simply a bug at this point.
Joshua Inkenbrandt
26 April, 2010 at 17:02
Hi Joshua,
But those resources are public anyway, i.e., there appears to be no difference between:
https://graph.facebook.com/benbiddington?access_token=116122545078207|EyWJJYqrdgQgV1bfue6W320z7MM.
and:
https://graph.facebook.com/benbiddington
What am I doing wrong? Do you have an example?
benbiddington
26 April, 2010 at 18:19
I should have clarified. My facebook username is ‘joshink’. When I authorize my app logging in with my credentials, I can get all my information using https://graph.facebook.com/joshink?access_token=…, but if I just try to use https://graph.facebook.com/me?access_token=… it won’t work at all.
So what I was trying to say is that you can use the graph api __if__ you know the id of the authenticated user. Does that make sense?
Joshua Inkenbrandt
26 April, 2010 at 18:30
Sure but does using the token give you any more information?
For me I get the same whether I use the token or not.
Does your request look like?:
https://graph.facebook.com/benbiddington?access_token=116122545078207|
EyWJJYqrdgQgV1bfue6W320z7MM.
I am still missing something…
benbiddington
26 April, 2010 at 19:18
The results differ in only some cases. If you grant your app extended permissions you should see your email address when you query your user id “https://graph.facebook.com/USERID?access_token=…” If you try the same request without the access token the email address will not appear.
However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.”
Alex
26 April, 2010 at 20:06
What Alex said. If you grant yourself permissions, you’ll see more stuff (or at least you should). Also, it just shows that the access_token will at least work if you know who you’re authorized as.
Their API is pretty much useless at this point, though.
Joshua Inkenbrandt
26 April, 2010 at 20:43
Aha! I see, and the ‘me’ alias only works for the currently signed-in user. It also has that session part in the middle that is valid only while the current user is signed in (has auth cookie).
So these session-style tokens (as shown in the graph API introduction) *do* work for every connection, but only when signed in:
http://graph.facebook.com/benbiddington/photos? access_token=2227470867| 2.4Z16dITNr0kN9z1wrFb_yw__.3600.1272326400-500880518| kX2Tgce8nbGQNtigiP3KXKMocNk.and you get a new one each session.
And the ones we get do not work with all connections:
https://graph.facebook.com/benbiddington/photos? access_token=116122545078207|EyWJJYqrdgQgV1bfue6W320z7MM.And it does seem only some extended permissions work, for example *email* does, but *user_birthday* does not.
Regarding knowing your users, don’t forget you get given user id in the ‘code’ parameter during authentication, so you can track tokens to users.
benbiddington
26 April, 2010 at 22:38
Ok, I’ve taken the example app from http://github.com/facebook/python-sdk/tree/master/examples/oauth and put it on app engine, using my ID and Secret and it works.
If you look through the code, you’ll notice that it never specifies the ‘type’ or any ‘scope’, but the ‘me’ alias works. So now I’m super confused. Check it out: http://fbtornado.appspot.com/
Joshua Inkenbrandt
26 April, 2010 at 23:12
Ok, so… If I don’t specify the ‘type’ property on the access_token request it works like a charm. No more parse error. Try omitting the ‘type’ and see if it works for you.
Joshua Inkenbrandt
26 April, 2010 at 23:54
Bingo – Leaving out the type parameter when requesting the access token works! Everything works like a charm. Thanks guys!
Alex
27 April, 2010 at 15:25
Hi Joshua/Alex,
What about application users? Do you have any listed in your control panel? I have total users zero.
By the way, omitting type does not work for me — what other parameters’re you supplying?
benbiddington
27 April, 2010 at 08:49
Alex can you post the requests params one by one exactly to Facebook API and emphasize the differences than the facebook saple file do?
Daniel
27 April, 2010 at 15:28
1. String authUrl = “https://graph.facebook.com/oauth/authorize?” +”client_id=CLIENTID&” +”scope=email,publish_stream,offline_access&”+
“redirect_uri=YOURCALLBACK&”+
“display=popup”;
* The scope and display parameters are optional. Otherwise, this authorize request is as specified on http://developers.facebook.com/docs/authentication/
2. URL authUrl = new URL(“https://graph.facebook.com/oauth/access_token?” +
“client_id=CLIENTID&” +
“code=”+tokenEncode+”&”+
“client_secret=YOURSECRET&”+
“redirect_uri=YOURCALLBACK”);
* Again this is as specified on Facebook’s documentation. The code parameter is the url encoded access token returned from the initial authorize request. It is named ‘code’.
3. From there you read in your key from the response. I url encode the key before making any requests. Additionally, the ‘me’ shown on Facebook’s example should be replaced with the user’s id. The user id can be found in the access key.
Alex
27 April, 2010 at 15:47
By “The user id can be found in the access key.” you mean this you get from the code somehow ? I don’t understand how you get this access key.
Daniel
27 April, 2010 at 16:08
1. request https://graph.facebook.com/oauth/authorize?client_id=123412341234redirect_uri=http://www.example.com/callback
2. The response will be redirected to your callback url and it will contain a “code” parameter. Grab the code parameter and URL encode it.
3. request https://graph.facebook.com/oaut/access_token?client_id=123412341234&code=“code parameter from #2″&client_secret=234523452345&redirect_uri=http://www.example.com/callback
4. Visiting the above url should display your access_key on the screen. Grab the access_key from the screen.
5. Grab the user id from within the access_key, specifically after the first ‘-‘ and before the second ‘|’ is the user id.
6. URL encode the access_key.
7. Request https://graph.facebook.com/USERID?access_token=…
Alex
27 April, 2010 at 16:17
So you reckon this ought to work?:
https://graph.facebook.com/oauth/access_token? client_id=a82fed1a931693d784da54ea48c79346& redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com& client_secret=98d2bd346b114be08bad336bbxxxxxxx& code=2.kfy7P_AolVHe7D_wgZ5ruA__.3600.1272387600-500880518%7C4_qe2VQSWty3XgoG5iqr-Byv2Ks.For me this produces: “Error validating verification code.”
Nothing seems to work unless I add the type=client_cred…
Can anyone see anything in there I am missing?
P.S. I take it not all connections work still?
benbiddington
27 April, 2010 at 17:07
Did you have a look at the code from the site I posted (http://fbtornado.appspot.com)? The magic happens here: http://github.com/facebook/python-sdk/blob/master/examples/oauth/facebookoauth.py#L80
That app is just the sample code they give you on the Graph API page.
An interesting note on getting a validation code. I was dynamically generating the callback based of of the current URI in my application. This came around and bit me because I ended up including the ‘?code=…’ query string in my subsequent request to https://graph.facebook.com/oauth/access_token. Make sure you’re callback doesn’t have any query string parameters. That was my first mistake.
So here’s exactly what I do:
1. Make a request for user authorization:
https://graph.facebook.com/oauth/authorize
?client_id=….
&redirect_uri=http://localhost:8888/auth/fb (URL encoded of course)
&display=popup
&scope=publish_stream,email,read_stream,user_status
2. Once the user accepts, we are redirected to:
http://localhost:8888/auth/fb?code=…
3. I get the access token:
https://graph.facebook.com/oauth/access_token
?client_id=….
&client_secret=…
&code=…
&redirect_uri=http://localhost:8888/auth/fb (I know this is not necessary)
4. I parse the response body and get the access token (Which I should not, looks like the one on facebook’s api docs)
5. Make a request to get the authenticated user’s data:
https://graph.facebook.com/me?access_token=…
This is what works for me. As soon as I specify a ‘type’ I get a worthless access_token.
Hope that helps. (Also, sorry for spamming the crap out of your comments)
Joshua Inkenbrandt
27 April, 2010 at 18:00
Taking out the code=xxx query parameter made it work for me.
Thanks for the investigative work!
Andy
7 June, 2010 at 21:51
I’m not sure why your access token has that format.
The access token I find in the code parameter looks like: “b82e041b187c0229846xxxxxx-5814xxx|PPEIc1xxxx-H2XNK0LuIixxxx.” The access token value you’ve shown is similar to those used on facebook’s example http://developers.facebook.com/docs/api
Alex
27 April, 2010 at 23:17
Mine has that same 2. format
Shawn
28 April, 2010 at 06:21
Alex, any luck with accessing friends using a user’s uid? Per your previous post here:
“However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.””
I can access everything else but friends mysteriously fails. Using “me” doesn’t work and I have a suspicious access token as well.
Adam Bossy
13 July, 2010 at 22:03
Instead of two requests to the server (one to request access, and the other to request token), you can get the token with single request as I described in
http://leybzon.blogspot.com/2010/04/posting-to-facebook-feed-using-graph.html
Gene Leybzon
28 April, 2010 at 18:43
This is a really good tip — it produces different tokens entirely — all because of that type=user_agent parameter on the authorize request.
And best of all, those tokens work exactly as described by the documentation.
This is the technique described as Desktop Authentication.
benbiddington
28 April, 2010 at 20:29
One thing that’s weird about that method is that it doesn’t place the access token in the query string as a regular GET parameter. Instead, it places it after a hash sign (#).
http://www.somesite.net/#access_token=284080404xxx|xxxxSOx9G0PItzfvDMyUbEoQ__.3600.1272560400-684890250|N0NjtuzQsx0EwmLvPYtEiZd4hu4.
I wonder why they don’t just put it as a GET..
Troy Swanson
29 April, 2010 at 17:16
Everything after a ‘#’ is a fragment. These portions are supposed to be available to the client. I can attest that Apache strips them off. So, while the user-agent flow is the easiest way of getting a token, I have found it entirely unsuitable for a server based implemenation.
Mark
11 May, 2010 at 19:06
I have set in the scope
‘scope’ => ’email,user_birthday,user_about_me,publish_stream,offline_access’
But when I call
https://graph.facebook.com/‘.$facebook_user_id.’?access_token=…
I get retrived only the name,first name,last name,email but no sign of user birthday or about me .
Any ideeas how can I get that?
Daniel
29 April, 2010 at 20:47
I suspect that you aren’t actually authorized. Try the same request without the access_token part and you will probably get the same information that you are seeing. It’s the public information that anyone could see
Mark
11 May, 2010 at 19:40
One this to note here is that the access token, eg. 116122545078207|2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|QXlU1XfJR1mMagHLPtaMjJzFZp4. will expire after certain time, based on this: 1272535200 value (correct me if I’m wrong). Does this means users need to repeat the authorization process again each and every time the token expired?
Matt
1 May, 2010 at 21:04
Yep, put that in an epoch date converter. There is a section on refreshing tokens in the OAuth 2.0 specification.
benbiddington
1 May, 2010 at 21:15
Good to know that Ben. But how exactly to do that within Facebook? The only way I can think of is to repeat the authorization process again.
Matt
2 May, 2010 at 02:22
Sorry, I have not done much with the graph API, but I am sure Facebook’s implementation will match the specification, following that’s your best bet.
benbiddington
2 May, 2010 at 23:48
From what I understand ‘client_id’ is the app id, not the api key.
So in the above
The client id looks like the api key and not the app id. I think you need to replace that value with the app’s id – this seems to be what the developer docs say.
AS for the token issue, you can re-use the code infinitely as far as I can tell, to get a new token whenever you need it.
So run the above once and get the code (i would assume you’d be storing it with that user’s data in your database) and then as the token expires (I suppose you’d keep track?) you fetch:
My perennial issue is that in the first call (to authorize) I try &scope=stream_publish and I get the following error:
API Error Code: 100
API Error Description: Invalid parameter
Error Message: Invalid permission: stream_publish
In the new Graph API it does not tell me what kind of application I need to have to get stream_publish to work; but it may be that I’m implicitly asking for permission to the app’s page, which doesn’t work.
When I replace client_id with my own user-id, I get redirected to a login.php which does not function…
What is most frustrating about the whole thing is we’ve successfully installed ‘Networked Blogs’ which publishes freely to our stream, but there seems to be no clear documentation on how to get an application that I control the authorization to publish.
I suspect there is an invisible inner circle here, but my immediate concern is to see that I’m following the spec exactly as they say it should be done. As it stands I’m doing what they ask in the docs but it is failing.
RiverC
3 May, 2010 at 20:51
BTW; if you do
&scope=offline_access
in the call to
graph.facebook.com/oauth/authorize
You will get a code for a token which does not expire. I, however, do not know how to get publish_stream to work… maybe it is my personal settings… no clue.
RiverC
3 May, 2010 at 21:32
Looks like there’s an error at http://developers.facebook.com/docs/authentication/ – the proper permission seems to be ‘publish_stream’ not ‘stream_publish’.
bp
7 May, 2010 at 07:33
Okay, Its extremely frustrating for me..
<a href = "#" onClick="popitup('https://graph.facebook.com/oauth/authorize?type=user_agent&client_id=&redirect_uri=&scope=user_photos,email,user_birthday,user_online_presence‘) ;”>Click here to get permissions first
now, this opens up my facebook home page in a new popup (http://www.facebook.com/home.php), Im not getting redirect with the token… wtf ?It doesnt ask me for permissions. ! Im frustrated !
rohit
7 May, 2010 at 11:21
Click here to get permissions first
Im frustrated, this doesnt redirect me back to my redirect_uri (ie funnect.com) instead, it opens up my facebook home page. (http://www.facebook.com/home.php).
What do i do ?.. argh.. open graph and facebook is worst written api with possible horrible documentation.
rohit
7 May, 2010 at 11:24
Not working(not redirecting) in IE, but it’s working great in firebox
https://graph.facebook.com/oauth/authorize?client_id=….&redirect_uri=….&type=user_agent&display=popup
ss
10 May, 2010 at 16:58
I’m seeing the same thing. If I try this in anything other then IE it works perfectly. In IE I get a Can not display webpage message. Bizzare.
ck
21 June, 2010 at 18:12
WordPress munged your url so I can’t tell if this is the problem, but IE restricts the maximum length of a URL to 2083 characters.
http://support.microsoft.com/kb/208427
I have seen this complaint on the FB forums, so I thought I would pass it along. I think that some people are trying to authorize as many of the extended permissions that they can (scopes) and are running into the URL limit
Mark
22 June, 2010 at 17:03
Thanks for the response, I eventually got to the Facebook bug tracker and found http://bugs.developers.facebook.com/show_bug.cgi?id=10836
which details that it is bumping into the URL limit.
ck
22 June, 2010 at 17:31
how do I get the access_token in to an asp variable from the url i get?
http://www.mysite.com/#access_token=123456789…..
kim
10 May, 2010 at 22:07
Thanks for all the work here Ben, you’ve really helped us heh.
However, I still seem to be clueless.
Here is what I want to do: provide a ‘login w/ FB’ button, throw to /authorize, get a code, throw to /access_token, get an access_token, and be able to hit https://graph.facebook.com/me for info about the user.
I just can’t seem to get to the last part. If I can’t hit /me, how do I get the ID of the current user and hit that instead?
-AC
Alex
11 May, 2010 at 16:50
Hey All,
I am having some weird canvas issues with the graph API that are only affected when i choose FBML over iframe. When i choose FBML and navigate to the page i try to call the authorize method and get this error
The URL https://graph.facebook.com/oauth/authorize?type=web_server&client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Fknobcreek.zezzadev.com%2Ffacebook_stillhouse%2Fpost_authorize%2F&scope=email,user_birthday is not valid.
Anyone have any ideas why this would happen, i am thinking it is a parameter in the settings i am missing.
Any help would be greatly appreciated cause i would like to write this app as a FBML canvas and not an iframe.
This site is so much more helpful than facebook’s
Thanks all,
–CG
Chris Galatioto
11 May, 2010 at 19:17
Hi Ben,
just wanted to say thanks for putting some sense into the FB new oAuth workflow, I wish you worked for the Facebook team that puts their documentation together :)))
best, Marin
Marin Todorov
13 May, 2010 at 11:44
[…] took me a while and reading through a lot of information on Ben Beddinton’s blog and the Graph API forum, but I noticed that all of the examples of working token requests had […]
User Delegation Flows in OAuth 2.0
14 May, 2010 at 02:17
I hope to comb through the information here to get Facebooks’s awful API to work properly. The documentation is all over the place, sparse and badly written, has poor examples, and the API is flaky at best. Judging from the amount of posts around the Internets, I rest assured the problem do esnot lie with me.
El Honcho
25 May, 2010 at 00:31
[…] I had more success with facebook last week. Connecting to twitter and foursquare were faster to do than facebook because facebook uses a different authentication version and its documentation neglects to mention some things. The draft specs for OAuth 2.0 were helpful as were the developers forum and various blogs. […]
more on facebook « Research 2010
10 August, 2010 at 03:14
This really helped me along but i am still having issues. I stil recieve the below message in my application even though the access token is in the url.
“An active access token must be used to query information about the current user
salmon
12 August, 2010 at 10:27
First of all just wanted to say big thanks for a good work, the topic is really great, saved me a lot of time.
I’m having an issue with ‘Client credentials flow’..
in few words, an access_token retrieved by Api (https://graph.facebook.com/oauth/access_token?&type=CLIENT_CRED&client_id=appId&client_secret=appsecret) works fine in most cases. But, when it comes to people search with Graph Api (https://graph.facebook.com/search?q=PersonName&type=user&access_token=#token) it fails with OAuthAccessTokenException and ‘access token is required to request this resource” error.
Has somebody experienced something like that?
In fact, search api would work with access_token of logged-in FB user, but my tool has its own sign-in functionality which doesn’t rely on Facebook sign-on …
Is there another way how to get people search to work?
volts
14 August, 2010 at 14:19
Sorry if it is basic Q’s but can any one help me on this…
is there any short way to get access token value directly from URL or do i have to use split() method to get it…..
jason
23 August, 2010 at 12:18
[…] Facebook Graph API — getting access tokens (tags: facebook, oauth, oauth2, graphapi, graph, access_token, offline_access) […]
links for 2010-11-02 | Digitalistic - Mashup or die trying
3 November, 2010 at 03:04
Im having the same problem as volts:
I’m having an issue with ‘Client credentials flow’..
in few words, an access_token retrieved by Api (https://graph.facebook.com/oauth/access_token?&type=CLIENT_CRED&client_id=appId&client_secret=appsecret) works fine in most cases. But, when it comes to people search with Graph Api (https://graph.facebook.com/search?q=PersonName&type=user&access_token=#token) it fails with OAuthAccessTokenException and ‘access token is required to request this resource” error.
Has somebody experienced something like that?
In fact, search api would work with access_token of logged-in FB user, but my tool has its own sign-in functionality which doesn’t rely on Facebook sign-on …
Is there another way how to get people search to work?
Anyone has a solution yet?
Tom Somerville
4 November, 2010 at 03:57
[…] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]
Third Party Cookies, OAuth2.0, iFrames for Facebook Dev
31 December, 2010 at 08:31
Thank you very much.
I am from Taiwan.
I read your post and then solve my problem, your article is much better than Facebook official document.
Andreas
5 March, 2011 at 22:56
[…] Another method of finding access tokens described in this article. […]
Adding Facebook Connect functionality to your application « Xlinesoft Blog
10 March, 2011 at 18:31
Help!
I am only getting a partial access token. And I’m not finding the FB docs helpful.
If I use this, without type=client_cred, I get the OAuth error:
https://graph.facebook.com/oauth/access_token?client_id=MYAPPID&redirect_uri=http://localhost:8181/&client_secret=MYAPPSECRET&code=BIGLONGCODESTRING
If I use this, with the type=client_cred, I get only two strings delimited by a pipe.
https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=MYAPPID&redirect_uri=http://localhost:8181/&client_secret=MYAPPSECRET&code=BIGLONGCODESTRING
What am I missing, and where can I find complete docs that explain every querystring variable?
Thanks
Thomas Derenthal
16 March, 2011 at 06:47
I have read through all of this and I am still not finding an answer. I have tried every combination of client, wen user agent. Nothing works.
I am new to FB development, and this seems to be the biggest, kludgiest mess I’ve ever run across.
Anybody have any insight?
Thomas Derenthal
16 March, 2011 at 07:39
Also, when I use type=web_server, I get a 400 BAD REQUEST.
Thomas Derenthal
16 March, 2011 at 10:51
Thank you for this documentation, amazing and life saving!
Adam
4 July, 2011 at 12:10
[…] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]
Momentus Media | We Make Brands Viral
16 September, 2011 at 11:38
[…] Facebook Graph API — getting access tokens « Ben BiddingtonApr 23, 2010 … What am I missing, and where can I find complete docs that explain every querystring variable? Thanks. Thomas Derenthal. 16 March, 2011 at … […]
Thomas derenthal | Jamesshulman
1 March, 2012 at 07:54
[…] completely “borrowed” from https://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/ […]
Getting FB access token | CorbDesign – CorbBlog
31 March, 2012 at 05:00