Ben Biddington

Whatever it is, it's not about "coding"

Facebook Graph API — getting access tokens

with 73 comments

As described in the documentation it’s a fairly easy process — and it does not require any signatures.

For example, I have an application with an id 116122545078207, and I am using the URL of this blog (https://benbiddington.wordpress.com) to collect request tokens.

[update, 2010-04-29]

If ever there was a lesson to read specification and documentation carefully, this is it. Thanks to comments from Joshua Inkenbrandt, Alex and Gene Leybzon I realise why my examples don’t work as expected: I have been trying to use a mixture of web server and client_cred authentication flow.

As Gene rightly points out, I should have been using user_agent.

User-Agent Flow (with a web browser)

Following the instructions as specified in section 3.5.1.1., Client Requests Authorization, of the specification, this is a one-step process:

Open this in a browser:

https://graph.facebook.com/oauth/authorize?
    type=user_agent&
    client_id=116122545078207&
    redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
    scope=user_photos,email,user_birthday,user_online_presence

Note: there are several options for scope. These are called extended permissions.

Note: unless you specify offline_access, your tokens will expire as soon as the user signs out of facebook.

Note: client_secret is not supplied:

[3.5.1.  User-Agent Flow] This user-agent flow does not utilize the client secret since the client executables reside on the end user’s computer or device which makes the client secret accessible and exploitable.

You’ll be redirected to:

https://benbiddington.wordpress.com/#access_token=
    116122545078207|
    2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
    QXlU1XfJR1mMagHLPtaMjJzFZp4.

And you have your access token, you can go ahead and use it:

https://graph.facebook.com/me?access_token=
    116122545078207|
    2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
    QXlU1XfJR1mMagHLPtaMjJzFZp4.

According to section 3.5.1. Client Requests Authorization, because we have not supplied the optional secret_type:

secret_type
    OPTIONAL. The access token secret type as described by Section 5.3.
    If omitted, the authorization server will issue a bearer token
    (an access token without a matching secret) as described by Section 5.2.

we have been issued a bearer token.

I think this refers to OAuth 1.0-style authentication using token secret. You’d only need one of those if you were requiring signed requests. This seems to contradict the part above about storing client secret on user agent.

Refreshing tokens

Section 3.5.1 describes that the access token may be delivered with an optional refresh_token fragment. On expiry, this token can be exchanged at the for a new access token. No refresh token is supplied by the Facebook API under User-Agent flow, meaning you’ll have to ask users to sign in again.

Using access tokens

Tokens with no session part

In some cases, like when using 3.7.1.  Client Credentials Flow, you’re issued a token with a missing session part.

Instead of this:

    116122545078207|
    2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|
    EyWJJYqrdgQgV1bfueck320z7MM.

you get this:

116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.

These do work in some cases, but are rejected by some resources, for example:

https://graph.facebook.com/me?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.

returns  error:

{
   "error": {
      "type": "QueryParseException",
      "message": "An active access token must be used to query information about the current user."
   }
}

this is the same error you get when you request the same resource without supplying a token at all:

http://graph.facebook.com/me

Note that these tokens do work against real resource identifer, i.e., without the me alias. For example, here I can use it against me (benbiddington).

https://graph.facebook.com/benbiddington?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.

So the me alias only works in the case where we have a full token — the session part is required.

These tokens also work for accessing your insights (see analytics section):

https://graph.facebook.com/app_id/insights?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.

This is described in section 3.7.  Autonomous Client Flows:

Autonomous client flows are used to grant client access to protected resources controlled by the client (i.e. the client is the resource owner). For example, these flows are useful when a service provides both client-specific resources in addition to end user resources.

And more specifially, the Client Credentials Flow is described  in section 3.7.1:

The client credentials flow is used when the client acts autonomously without acting on behalf of a separate resource owner. The client secret is assumed to be high-entropy since it is not designed to be memorize by an end user.

Where a client is:

An HTTP client capable of making authenticated requests for protected resources using the OAuth protocol. [This is third-party application that wants to access a resource owner’s Facebook account.]

And a resource owner:

An entity capable of granting access to a protected resource. [This is the user who owns the Facebook account.]

[TBD: So what?]

Tokens, sessions and that

You can see more information about authentication flow by using a bogus redirect_uri, i.e., one that does not match the Connect URL setting in your application, e.g.:

https://graph.facebook.com/oauth/authorize?
    client_id=116122545078207&
    redirect_uri=http%3A%2F%2Flocalhost&
    scope=user_photos

Executing this gives error:

{
   "error": {
      "type": "OAuthException",
      "message": "Invalid redirect_uri: The Facebook Connect cross-domain
          receiver URL (http://localhost) must have the application's
          Connect URL (https://benbiddington.wordpress.com) as a prefix.
          You can configure the Connect URL in the Application Settings Editor."
   }
}

But there is some information in the query string, that when decoded looks like this:

https://graph.facebook.com/oauth/authorize_success?
    client_id=116122545078207&
    redirect_uri=http://localhost&
    scope=user_photos&
    type=web_server&
    perms=user_photos&
    selected_profiles=500880518&
    session={
        "session_key":"2.vHAZRg0Ac4Dtzm2xiVwXoA__.3600.1272286800-500880518",
        "uid":500880518,
        "expires":1272286800,
        "secret":"vHAZRg0Ac4Dtzm2xiVwXoA__",
        "sig":"7a6fc887240884de883a21e2a2aec3e0"
    }

That session_key:

2.vHAZRg0Ac4Dtzm2xiVwXoA__.3600.1272286800-500880518

looks familiar, it’s the same as the code parameter used in web server authentication flow (Section 3.5.2), and it’s the same pattern as the second segment of an access token.

2.{secret}.3600.{expires_at_seconds_after_epoch}-{user_id}

Where are my extended permissions?

It appears there is some problem with authorizing extended permissions.

For example, when I use the link in step (1) up there, I am prompted with the following screen:

That looks like the set I asked for, and so I select Allow.

But when I then inspect the extended permissions in my Application settings, all I see is this:

For some reason the only extra permission I have is email. And actually, did I even ask for Publish recent activity?

What is wrong here?

Troubleshooting

I can’t see my application in my Application settings screen

Make sure to choose Authorised from the show list on the Application settings screen.

The default view is Recently used which — certainly in my case — does not produce my application.

How do I know what permissions my application has?

Once you find the application in your Application settings list, press Edit settings and then select the Additional Permissions tab on the resultant dialog.

How do I de-authorise an application?

From your Application settings list, press the “x” button the right end of the row next to Application Profile link.

My access tokens only seem valid while a user is signed-in to facebook

You need to request offline_access permissions, e,g,:

https://graph.facebook.com/oauth/authorize?
    type=user_agent&
    client_id=116122545078207&
    redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
    scope=user_photos,email,user_birthday,user_online_presence,offline_access

otherwise your access tokens will expire as soon as the user signs out and you’ll get (at least with client):

{
    "error": {
        "type": "OAuthException",
        "message": "Error processing access token."
    }
}

References

Written by benbiddington

23 April, 2010 at 13:37

Posted in development

Tagged with , , , ,

73 Responses

Subscribe to comments with RSS.

  1. I’m receiving the access token by including only the type andclient parameters in the https://graph.facebook.com/oauth/access_token? request.

    In my mind the code parameter should also be required. Does anyone know how oauth 2.0 works?

    Alex

    23 April, 2010 at 20:56

  2. Read the OAuth draft on that link up there

    benbiddington

    23 April, 2010 at 20:59

  3. I am getting the same access_token for different users and the error although the code is different then I got this error :

    “error”:{“type”:”QueryParseException”,”message”:”An active access token must be used to query information about the current user.”}}

    Any ideeaes

    Daniel

    24 April, 2010 at 19:25

  4. Thanks for the type=client_cred note, that got me past the /authorize stumbling block. However, the access_token returned, when used, doesn’t seem valid. I get this returned when I do anything:

    {
    “error”: {
    “type”: “QueryParseException”,
    “message”: “An active access token must be used to query information about the current user.”
    }
    }

    Any idea where I should look to try and figure out what I’m doing wrong?

    Alex Cook

    24 April, 2010 at 20:05

  5. Looks like a lot of us are having access_token issues – few posts on stackoverflow etc about it…

    Alex Cook

    25 April, 2010 at 14:19

    • Yeah, I am not finding the Facebook documentation very helpful either, and it does not seem to match the OAuth 2.0 specification cited.

      benbiddington

      25 April, 2010 at 16:35

  6. Hello. He has been a great help your example. But I have a doubt. If users not allow the application, Facebook get this message:

    {
    “error”: {
    “type”: “OAuthException”,
    “message”: “Invalid session key”
    }
    }

    Do you know why this error occur?
    How i can redirect users to another different page if this don’t allow the permissions?

    Thanks.

    David

    26 April, 2010 at 13:47

    • I’ve found the solution. I have to add the GET variable “cancel=url” in the url.

      David

      26 April, 2010 at 18:21

      • I have the exact same problem right now.
        Would you please care to explain your solution a bit more?
        Thank you!

        Filip

        28 April, 2010 at 10:25

  7. From what I can tell, the “QueryParseException” only happens when you’re trying to get the active user (using http://graph.facebook.com/me?access_token=…). If you use the username or ID it works.

    Which kinda sucks, because you have no way of knowing who the active user is. Hope that helps.

    Joshua Inkenbrandt

    26 April, 2010 at 16:18

    • Like this you mean?:

      http://graph.facebook.com/4

      benbiddington

      26 April, 2010 at 16:31

      • Yeah, if you use their ID it should work, it’s just when you’re accessing using ‘me’ that you’ll get the “QueryParseException”.

        Like you pointed out earlier, the access_tokens of facebook’s docs are very different than the ones returned by OAuth. I just can’t figure out if there’s another param we should be passing to get that type of access token, or if it’s just simply a bug at this point.

        Joshua Inkenbrandt

        26 April, 2010 at 17:02

  8. Hi Joshua,

    But those resources are public anyway, i.e., there appears to be no difference between:

    https://graph.facebook.com/benbiddington?access_token=116122545078207|EyWJJYqrdgQgV1bfue6W320z7MM.

    and:

    https://graph.facebook.com/benbiddington

    What am I doing wrong? Do you have an example?

    benbiddington

    26 April, 2010 at 18:19

    • I should have clarified. My facebook username is ‘joshink’. When I authorize my app logging in with my credentials, I can get all my information using https://graph.facebook.com/joshink?access_token=…, but if I just try to use https://graph.facebook.com/me?access_token=… it won’t work at all.

      So what I was trying to say is that you can use the graph api __if__ you know the id of the authenticated user. Does that make sense?

      Joshua Inkenbrandt

      26 April, 2010 at 18:30

      • Sure but does using the token give you any more information?

        For me I get the same whether I use the token or not.

        Does your request look like?:

        https://graph.facebook.com/benbiddington?access_token=116122545078207|
        EyWJJYqrdgQgV1bfue6W320z7MM.

        I am still missing something…

        benbiddington

        26 April, 2010 at 19:18

      • The results differ in only some cases. If you grant your app extended permissions you should see your email address when you query your user id “https://graph.facebook.com/USERID?access_token=…” If you try the same request without the access token the email address will not appear.

        However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.”

        Alex

        26 April, 2010 at 20:06

      • What Alex said. If you grant yourself permissions, you’ll see more stuff (or at least you should). Also, it just shows that the access_token will at least work if you know who you’re authorized as.

        Their API is pretty much useless at this point, though.

        Joshua Inkenbrandt

        26 April, 2010 at 20:43

  9. Aha! I see, and the ‘me’ alias only works for the currently signed-in user. It also has that session part in the middle that is valid only while the current user is signed in (has auth cookie).

    So these session-style tokens (as shown in the graph API introduction) *do* work for every connection, but only when signed in:

    http://graph.facebook.com/benbiddington/photos?
        access_token=2227470867|
        2.4Z16dITNr0kN9z1wrFb_yw__.3600.1272326400-500880518|
        kX2Tgce8nbGQNtigiP3KXKMocNk.
    

    and you get a new one each session.

    And the ones we get do not work with all connections:

    https://graph.facebook.com/benbiddington/photos?
        access_token=116122545078207|EyWJJYqrdgQgV1bfue6W320z7MM.
    

    And it does seem only some extended permissions work, for example *email* does, but *user_birthday* does not.

    Regarding knowing your users, don’t forget you get given user id in the ‘code’ parameter during authentication, so you can track tokens to users.

    benbiddington

    26 April, 2010 at 22:38

    • Ok, I’ve taken the example app from http://github.com/facebook/python-sdk/tree/master/examples/oauth and put it on app engine, using my ID and Secret and it works.

      If you look through the code, you’ll notice that it never specifies the ‘type’ or any ‘scope’, but the ‘me’ alias works. So now I’m super confused. Check it out: http://fbtornado.appspot.com/

      Joshua Inkenbrandt

      26 April, 2010 at 23:12

      • Ok, so… If I don’t specify the ‘type’ property on the access_token request it works like a charm. No more parse error. Try omitting the ‘type’ and see if it works for you.

        Joshua Inkenbrandt

        26 April, 2010 at 23:54

      • Bingo – Leaving out the type parameter when requesting the access token works! Everything works like a charm. Thanks guys!

        Alex

        27 April, 2010 at 15:25

  10. Hi Joshua/Alex,

    What about application users? Do you have any listed in your control panel? I have total users zero.

    By the way, omitting type does not work for me — what other parameters’re you supplying?

    benbiddington

    27 April, 2010 at 08:49

  11. Alex can you post the requests params one by one exactly to Facebook API and emphasize the differences than the facebook saple file do?

    Daniel

    27 April, 2010 at 15:28

    • 1. String authUrl = “https://graph.facebook.com/oauth/authorize?” +”client_id=CLIENTID&” +”scope=email,publish_stream,offline_access&”+
      “redirect_uri=YOURCALLBACK&”+
      “display=popup”;

      * The scope and display parameters are optional. Otherwise, this authorize request is as specified on http://developers.facebook.com/docs/authentication/

      2. URL authUrl = new URL(“https://graph.facebook.com/oauth/access_token?” +
      “client_id=CLIENTID&” +
      “code=”+tokenEncode+”&”+
      “client_secret=YOURSECRET&”+
      “redirect_uri=YOURCALLBACK”);

      * Again this is as specified on Facebook’s documentation. The code parameter is the url encoded access token returned from the initial authorize request. It is named ‘code’.

      3. From there you read in your key from the response. I url encode the key before making any requests. Additionally, the ‘me’ shown on Facebook’s example should be replaced with the user’s id. The user id can be found in the access key.

      Alex

      27 April, 2010 at 15:47

      • By “The user id can be found in the access key.” you mean this you get from the code somehow ? I don’t understand how you get this access key.

        Daniel

        27 April, 2010 at 16:08

  12. 1. request https://graph.facebook.com/oauth/authorize?client_id=123412341234redirect_uri=http://www.example.com/callback

    2. The response will be redirected to your callback url and it will contain a “code” parameter. Grab the code parameter and URL encode it.

    3. request https://graph.facebook.com/oaut/access_token?client_id=123412341234&code=“code parameter from #2″&client_secret=234523452345&redirect_uri=http://www.example.com/callback

    4. Visiting the above url should display your access_key on the screen. Grab the access_key from the screen.

    5. Grab the user id from within the access_key, specifically after the first ‘-‘ and before the second ‘|’ is the user id.

    6. URL encode the access_key.

    7. Request https://graph.facebook.com/USERID?access_token=

    Alex

    27 April, 2010 at 16:17

  13. So you reckon this ought to work?:

    https://graph.facebook.com/oauth/access_token?
        client_id=a82fed1a931693d784da54ea48c79346&
        redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
        client_secret=98d2bd346b114be08bad336bbxxxxxxx&
        code=2.kfy7P_AolVHe7D_wgZ5ruA__.3600.1272387600-500880518%7C4_qe2VQSWty3XgoG5iqr-Byv2Ks.
    

    For me this produces: “Error validating verification code.”

    Nothing seems to work unless I add the type=client_cred…

    Can anyone see anything in there I am missing?

    P.S. I take it not all connections work still?

    benbiddington

    27 April, 2010 at 17:07

    • Did you have a look at the code from the site I posted (http://fbtornado.appspot.com)? The magic happens here: http://github.com/facebook/python-sdk/blob/master/examples/oauth/facebookoauth.py#L80

      That app is just the sample code they give you on the Graph API page.

      An interesting note on getting a validation code. I was dynamically generating the callback based of of the current URI in my application. This came around and bit me because I ended up including the ‘?code=…’ query string in my subsequent request to https://graph.facebook.com/oauth/access_token. Make sure you’re callback doesn’t have any query string parameters. That was my first mistake.

      So here’s exactly what I do:

      1. Make a request for user authorization:
      https://graph.facebook.com/oauth/authorize
      ?client_id=….
      &redirect_uri=http://localhost:8888/auth/fb (URL encoded of course)
      &display=popup
      &scope=publish_stream,email,read_stream,user_status

      2. Once the user accepts, we are redirected to:
      http://localhost:8888/auth/fb?code=

      3. I get the access token:
      https://graph.facebook.com/oauth/access_token
      ?client_id=….
      &client_secret=…
      &code=…
      &redirect_uri=http://localhost:8888/auth/fb (I know this is not necessary)

      4. I parse the response body and get the access token (Which I should not, looks like the one on facebook’s api docs)

      5. Make a request to get the authenticated user’s data:
      https://graph.facebook.com/me?access_token=

      This is what works for me. As soon as I specify a ‘type’ I get a worthless access_token.

      Hope that helps. (Also, sorry for spamming the crap out of your comments)

      Joshua Inkenbrandt

      27 April, 2010 at 18:00

      • Taking out the code=xxx query parameter made it work for me.

        Thanks for the investigative work!

        Andy

        7 June, 2010 at 21:51

    • I’m not sure why your access token has that format.

      The access token I find in the code parameter looks like: “b82e041b187c0229846xxxxxx-5814xxx|PPEIc1xxxx-H2XNK0LuIixxxx.” The access token value you’ve shown is similar to those used on facebook’s example http://developers.facebook.com/docs/api

      Alex

      27 April, 2010 at 23:17

      • Mine has that same 2. format

        Shawn

        28 April, 2010 at 06:21

      • Alex, any luck with accessing friends using a user’s uid? Per your previous post here:

        “However, I still can’t get some of the other extended permissions to work. The friends query “https://graph.facebook.com/USERID/friends?access_token=…” returns the following error message: “An access token is required to request this resource.””

        I can access everything else but friends mysteriously fails. Using “me” doesn’t work and I have a suspicious access token as well.

        Adam Bossy

        13 July, 2010 at 22:03

  14. Instead of two requests to the server (one to request access, and the other to request token), you can get the token with single request as I described in
    http://leybzon.blogspot.com/2010/04/posting-to-facebook-feed-using-graph.html

    Gene Leybzon

    28 April, 2010 at 18:43

    • This is a really good tip — it produces different tokens entirely — all because of that type=user_agent parameter on the authorize request.

      And best of all, those tokens work exactly as described by the documentation.

      This is the technique described as Desktop Authentication.

      benbiddington

      28 April, 2010 at 20:29

    • One thing that’s weird about that method is that it doesn’t place the access token in the query string as a regular GET parameter. Instead, it places it after a hash sign (#).

      http://www.somesite.net/#access_token=284080404xxx|xxxxSOx9G0PItzfvDMyUbEoQ__.3600.1272560400-684890250|N0NjtuzQsx0EwmLvPYtEiZd4hu4.

      I wonder why they don’t just put it as a GET..

      Troy Swanson

      29 April, 2010 at 17:16

      • Everything after a ‘#’ is a fragment. These portions are supposed to be available to the client. I can attest that Apache strips them off. So, while the user-agent flow is the easiest way of getting a token, I have found it entirely unsuitable for a server based implemenation.

        Mark

        11 May, 2010 at 19:06

  15. I have set in the scope

    ‘scope’ => ’email,user_birthday,user_about_me,publish_stream,offline_access’

    But when I call

    https://graph.facebook.com/‘.$facebook_user_id.’?access_token=…

    I get retrived only the name,first name,last name,email but no sign of user birthday or about me .

    Any ideeas how can I get that?

    Daniel

    29 April, 2010 at 20:47

    • I suspect that you aren’t actually authorized. Try the same request without the access_token part and you will probably get the same information that you are seeing. It’s the public information that anyone could see

      Mark

      11 May, 2010 at 19:40

  16. One this to note here is that the access token, eg. 116122545078207|2.1vGZASUSFMHeMVgQ_9P60Q__.3600.1272535200-500880518|QXlU1XfJR1mMagHLPtaMjJzFZp4. will expire after certain time, based on this: 1272535200 value (correct me if I’m wrong). Does this means users need to repeat the authorization process again each and every time the token expired?

    Matt

    1 May, 2010 at 21:04

    • Yep, put that in an epoch date converter. There is a section on refreshing tokens in the OAuth 2.0 specification.

      benbiddington

      1 May, 2010 at 21:15

      • Good to know that Ben. But how exactly to do that within Facebook? The only way I can think of is to repeat the authorization process again.

        Matt

        2 May, 2010 at 02:22

      • Sorry, I have not done much with the graph API, but I am sure Facebook’s implementation will match the specification, following that’s your best bet.

        benbiddington

        2 May, 2010 at 23:48

  17. From what I understand ‘client_id’ is the app id, not the api key.

    So in the above

    https://graph.facebook.com/oauth/access_token?
    client_id=a82fed1a931693d784da54ea48c79346&
    redirect_uri=http%3A%2F%2Fbenbiddington.wordpress.com&
    client_secret=98d2bd346b114be08bad336bbxxxxxxx&
    code=2.kfy7P_AolVHe7D_wgZ5ruA__.3600.1272387600-500880518%7C4_qe2VQSWty3XgoG5iqr-Byv2Ks.

    The client id looks like the api key and not the app id. I think you need to replace that value with the app’s id – this seems to be what the developer docs say.

    AS for the token issue, you can re-use the code infinitely as far as I can tell, to get a new token whenever you need it.

    So run the above once and get the code (i would assume you’d be storing it with that user’s data in your database) and then as the token expires (I suppose you’d keep track?) you fetch:

    ‘https://graph.facebook.com/oauth/access_token?client_id=’.$app_id.’&redirect_uri=’.$connect_uri.’oauth_redirect&client_secret=’.$api_secret.’&code=’.urlencode($code)

    My perennial issue is that in the first call (to authorize) I try &scope=stream_publish and I get the following error:

    API Error Code: 100
    API Error Description: Invalid parameter
    Error Message: Invalid permission: stream_publish

    In the new Graph API it does not tell me what kind of application I need to have to get stream_publish to work; but it may be that I’m implicitly asking for permission to the app’s page, which doesn’t work.

    When I replace client_id with my own user-id, I get redirected to a login.php which does not function…

    What is most frustrating about the whole thing is we’ve successfully installed ‘Networked Blogs’ which publishes freely to our stream, but there seems to be no clear documentation on how to get an application that I control the authorization to publish.

    I suspect there is an invisible inner circle here, but my immediate concern is to see that I’m following the spec exactly as they say it should be done. As it stands I’m doing what they ask in the docs but it is failing.

    RiverC

    3 May, 2010 at 20:51

    • BTW; if you do
      &scope=offline_access
      in the call to
      graph.facebook.com/oauth/authorize

      You will get a code for a token which does not expire. I, however, do not know how to get publish_stream to work… maybe it is my personal settings… no clue.

      RiverC

      3 May, 2010 at 21:32

  18. Looks like there’s an error at http://developers.facebook.com/docs/authentication/ – the proper permission seems to be ‘publish_stream’ not ‘stream_publish’.

    bp

    7 May, 2010 at 07:33

  19. Okay, Its extremely frustrating for me..
    <a href = "#" onClick="popitup('https://graph.facebook.com/oauth/authorize?type=user_agent&client_id=&redirect_uri=&scope=user_photos,email,user_birthday,user_online_presence‘) ;”>Click here to get permissions first

    now, this opens up my facebook home page in a new popup (http://www.facebook.com/home.php), Im not getting redirect with the token… wtf ?It doesnt ask me for permissions. ! Im frustrated !

    rohit

    7 May, 2010 at 11:21

  20. Click here to get permissions first

    Im frustrated, this doesnt redirect me back to my redirect_uri (ie funnect.com) instead, it opens up my facebook home page. (http://www.facebook.com/home.php).

    What do i do ?.. argh.. open graph and facebook is worst written api with possible horrible documentation.

    rohit

    7 May, 2010 at 11:24

  21. Not working(not redirecting) in IE, but it’s working great in firebox

    https://graph.facebook.com/oauth/authorize?client_id=….&redirect_uri=….&type=user_agent&display=popup

    ss

    10 May, 2010 at 16:58

    • I’m seeing the same thing. If I try this in anything other then IE it works perfectly. In IE I get a Can not display webpage message. Bizzare.

      ck

      21 June, 2010 at 18:12

      • WordPress munged your url so I can’t tell if this is the problem, but IE restricts the maximum length of a URL to 2083 characters.
        http://support.microsoft.com/kb/208427

        I have seen this complaint on the FB forums, so I thought I would pass it along. I think that some people are trying to authorize as many of the extended permissions that they can (scopes) and are running into the URL limit

        Mark

        22 June, 2010 at 17:03

      • Thanks for the response, I eventually got to the Facebook bug tracker and found http://bugs.developers.facebook.com/show_bug.cgi?id=10836
        which details that it is bumping into the URL limit.

        ck

        22 June, 2010 at 17:31

  22. how do I get the access_token in to an asp variable from the url i get?

    http://www.mysite.com/#access_token=123456789…..

    kim

    10 May, 2010 at 22:07

  23. Thanks for all the work here Ben, you’ve really helped us heh.

    However, I still seem to be clueless.

    Here is what I want to do: provide a ‘login w/ FB’ button, throw to /authorize, get a code, throw to /access_token, get an access_token, and be able to hit https://graph.facebook.com/me for info about the user.

    I just can’t seem to get to the last part. If I can’t hit /me, how do I get the ID of the current user and hit that instead?

    -AC

    Alex

    11 May, 2010 at 16:50

  24. Hey All,

    I am having some weird canvas issues with the graph API that are only affected when i choose FBML over iframe. When i choose FBML and navigate to the page i try to call the authorize method and get this error

    The URL https://graph.facebook.com/oauth/authorize?type=web_server&client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Fknobcreek.zezzadev.com%2Ffacebook_stillhouse%2Fpost_authorize%2F&scope=email,user_birthday is not valid.

    Anyone have any ideas why this would happen, i am thinking it is a parameter in the settings i am missing.

    Any help would be greatly appreciated cause i would like to write this app as a FBML canvas and not an iframe.

    This site is so much more helpful than facebook’s

    Thanks all,

    –CG

    Chris Galatioto

    11 May, 2010 at 19:17

  25. Hi Ben,

    just wanted to say thanks for putting some sense into the FB new oAuth workflow, I wish you worked for the Facebook team that puts their documentation together :)))

    best, Marin

    Marin Todorov

    13 May, 2010 at 11:44

  26. […] took me a while and reading through a lot of information on Ben Beddinton’s blog and the Graph API forum, but I noticed that all of the examples of working token requests had […]

  27. I hope to comb through the information here to get Facebooks’s awful API to work properly. The documentation is all over the place, sparse and badly written, has poor examples, and the API is flaky at best. Judging from the amount of posts around the Internets, I rest assured the problem do esnot lie with me.

    El Honcho

    25 May, 2010 at 00:31

  28. […] I had more success with facebook last week. Connecting to twitter and foursquare were faster to do than facebook because facebook uses a different authentication version and its documentation neglects to mention some things. The draft specs for OAuth 2.0 were helpful as were the developers forum and various blogs. […]

  29. This really helped me along but i am still having issues. I stil recieve the below message in my application even though the access token is in the url.

    “An active access token must be used to query information about the current user

    salmon

    12 August, 2010 at 10:27

  30. First of all just wanted to say big thanks for a good work, the topic is really great, saved me a lot of time.

    I’m having an issue with ‘Client credentials flow’..
    in few words, an access_token retrieved by Api (https://graph.facebook.com/oauth/access_token?&type=CLIENT_CRED&client_id=appId&client_secret=appsecret) works fine in most cases. But, when it comes to people search with Graph Api (https://graph.facebook.com/search?q=PersonName&type=user&access_token=#token) it fails with OAuthAccessTokenException and ‘access token is required to request this resource” error.
    Has somebody experienced something like that?

    In fact, search api would work with access_token of logged-in FB user, but my tool has its own sign-in functionality which doesn’t rely on Facebook sign-on …

    Is there another way how to get people search to work?

    volts

    14 August, 2010 at 14:19

  31. Sorry if it is basic Q’s but can any one help me on this…
    is there any short way to get access token value directly from URL or do i have to use split() method to get it…..

    jason

    23 August, 2010 at 12:18

  32. […] Facebook Graph API — getting access tokens (tags: facebook, oauth, oauth2, graphapi, graph, access_token, offline_access) […]

  33. Im having the same problem as volts:

    I’m having an issue with ‘Client credentials flow’..
    in few words, an access_token retrieved by Api (https://graph.facebook.com/oauth/access_token?&type=CLIENT_CRED&client_id=appId&client_secret=appsecret) works fine in most cases. But, when it comes to people search with Graph Api (https://graph.facebook.com/search?q=PersonName&type=user&access_token=#token) it fails with OAuthAccessTokenException and ‘access token is required to request this resource” error.
    Has somebody experienced something like that?

    In fact, search api would work with access_token of logged-in FB user, but my tool has its own sign-in functionality which doesn’t rely on Facebook sign-on …

    Is there another way how to get people search to work?

    Anyone has a solution yet?

    Tom Somerville

    4 November, 2010 at 03:57

  34. […] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]

  35. Thank you very much.

    I am from Taiwan.

    I read your post and then solve my problem, your article is much better than Facebook official document.

    Andreas

    5 March, 2011 at 22:56

  36. […] Another method of finding access tokens described in this article. […]

  37. Help!

    I am only getting a partial access token. And I’m not finding the FB docs helpful.

    If I use this, without type=client_cred, I get the OAuth error:

    https://graph.facebook.com/oauth/access_token?client_id=MYAPPID&redirect_uri=http://localhost:8181/&client_secret=MYAPPSECRET&code=BIGLONGCODESTRING

    If I use this, with the type=client_cred, I get only two strings delimited by a pipe.

    https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=MYAPPID&redirect_uri=http://localhost:8181/&client_secret=MYAPPSECRET&code=BIGLONGCODESTRING

    What am I missing, and where can I find complete docs that explain every querystring variable?

    Thanks

    Thomas Derenthal

    16 March, 2011 at 06:47

  38. I have read through all of this and I am still not finding an answer. I have tried every combination of client, wen user agent. Nothing works.

    I am new to FB development, and this seems to be the biggest, kludgiest mess I’ve ever run across.

    Anybody have any insight?

    Thomas Derenthal

    16 March, 2011 at 07:39

  39. Also, when I use type=web_server, I get a 400 BAD REQUEST.

    Thomas Derenthal

    16 March, 2011 at 10:51

  40. Thank you for this documentation, amazing and life saving!

    Adam

    4 July, 2011 at 12:10

  41. […] Example.php on Github, this is the definitive way of using PHP and JavaScript for Facebook – Ben Biddington’s Facebook Graph API and Getting Access Tokens Great post on almost everything surrounding this issue. – Bugzilla bug report on Cookie issues […]

  42. […] Facebook Graph API — getting access tokens « Ben BiddingtonApr 23, 2010 … What am I missing, and where can I find complete docs that explain every querystring variable? Thanks. Thomas Derenthal. 16 March, 2011 at … […]

  43. […] completely “borrowed” from https://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/ […]


Leave a comment

  • Design a site like this with WordPress.com
    Get started