Facebook graph API - OAuth Token

Question

I'm trying to retrieve data using the new graph API, however the token I'm retriving from OAuth doesn't appear to be working.

The call I'm making is as follows;

$token = file_get_contents('https://graph.facebook.com/oauth/access_token?type=client_cred&client_id=<app_id>&client_secret=<app secret>');

This returns a token with a string length of 41. To give you an example of what is returned I have provided below a sample (converted all numbers to 0, all capital letters to 'A' and small case letters to 'a'

access_token=000000000000|AaaAaaAaaAAaAaaaaAaaAa0aaAA.

I take this access token and attach it to the call request for data, it doesn't appear to be the correct token as it returns nothing. I make the data call as follows;

file_get_contents('https://graph.facebook.com/<my_page's_id>/statuses?access_token=000000000000|AaaAaaAaaAAaAaaaaAaaAa0aaAA.')

When I manually retrieve this page directly through the browser I get an 500/Internal Server Error Message.

Any assistance would be grately appreciated.

---

Update:

I've since changed the method from file_get_contents() to curl. By retreiving the headers I get the following error message ...

{"error":{"type":"OAuthException","message":"Missing client_id"}}

but my post array includes 'client_id'?!

Answer 1

Don't use type=client_cred, this is not the access token that a user grants for your app to use. You don't need redirect_uri or code or any approval to get the client_cred type access token.

Facebook implements an early draft of OAuth 2 at this time. So there is not support for "state" yet.

But it is nice that you can suffix your state to the redirect_uri, the important point to note here is that the site url that you specified (which is the redirect_uri)

should not have a

question mark at the end or anywhere in what you suffix as client state, encoded or not. If you did, you will get the dreaded "Error validating verification code"

Don't use like that

http://www.Redirect.com?

Correct Url is http://www.Redirect.com/

Hope it helps.

Answer 2

This works for me :-)

header('Location: https://graph.facebook.com/oauth/access_token?' . http_build_query(array(
    'client_id'     => FB_APP_ID,
    'type'          => 'client_cred',
    'client_secret' => FB_SECRET,
    'code'          => $code)));

Of course you would use file_get_contents instead and parse the token out of the response

Answer 3

I ran into the exact same problem but it turned out the issue is not the encoding of the redirect_uri parameter, or that I had a trailing slash or question mark it's simply that I passed in two different redirect urls (had not read the specification at that time).

The redirect_uri is only used as a redirect once (the first time) to redirect back to the relying party with the "code" token. The 2nd time, the redirect_uri is passed back to the auth server but this time it's not used as you'd expect (to redirect) rather it's used by the authentication server to verify the code. The server responds with the access_token.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-05#section-3.5.2

You'll notice facebook documentation (which is terrible) says fetch "Exchange it for an access token by fetching https://graph.facebook.com/oauth/access_token. "

In summary, I didn't have to encode or do anything special to the Uri, just pass in the same redirect_uri twice, and fetch the 2nd page to get the access_token inside.

Answer 4

You can request an access token via terminal (OSX Users) using curl:

curl -F type=client_cred -F client_id=xxxxxxxxxxxxxxx -F client_secret=c0f88xxxxxxxxxxxxxxxxxx1b949d1b8 https://graph.facebook.com/oauth/access_token

Once you have your access token you can then use it in future curl requests to makes changes via the new graph API:

Post a message to a profile id:

curl -F 'access_token=xxxxxxxxxxxxx|mGVx50lxxxxxxxxxxxxhzC2w.'  -F 'message=Hello Likers'  -F 'id=1250000000000905'  https ://graph.facebook.com/feed

Answer 5

Please note that

'type' => 'client_cred',

is only a way to circumvent the below, having said that, the above also works

After the user authorizes your application, we redirect the user back to the redirect URI you specified with a verification string in the argument code, which can be exchanged for an oauth access token. Exchange it for an access token by fetching https://graph.facebook.com/oauth/access_token. Pass the exact same redirect_uri as in the previous step:

via: by: http://developers.facebook.com/docs/api see also: http://forum.developers.facebook.net/viewtopic.php?pid=238371

Answer 6

Try to follow the API, i.e without type but add redirect_uri and code (even though we don't need it):

$token = file_get_contents('https://graph.facebook.com/oauth/access_token?client_id=<app_id>&client_secret=<app secret>&redirect_uri=<url>&code=<code>');

Answer 7

Maybe your problem is solved but i yet not found accepted answer from you and maybe this answer helps those who face similar problem

First we have to Create our Application instance.

$facebook = new Facebook(array(
  'appId' => '149865361795547',
  'secret' => 'ee827a8df6202e1857b3fc28f3185a61',
  'cookie' => true,
)); 

easy way to get access_token

$token = $facebook->getAccessToken();

get page status as you ask in your question

$response = $facebook->api($pageID . '/feed','get',$token);

thanks..

Answer 8

Make sure you have url encoded your query parameters, your one should actually be:

000000000000%7CAaaAaaAaaAAaAaaaaAaaAa0aaAA

Note: also the type parameter seems to be required, without it you also get 500 error with message:

{
   "error": {
   "type": "OAuthException",
   "message": "Error validating verification code."
   }
}

rather than the message you get with other missing parameters. Cannot see that mentioned in the documentation.

Answer 9

You can also get this error if your connect URL isn't a base of your redirect URI. For example

Connect URL: http://www.example.com/fb/connect/

Redirect URI: http://www.example.com/fb/connect/redirect

I ran into an issue where my redirect URI was the same as the connect URL, but I forgot the trailing / on the redirect URI so FB saw them as different and failed the auth.

Answer 10

Sorry for posting in old question. Due to changes in recent fb access. I have this code working and thought I would post for anyone else requiring help. This method works great with jQuery ajax and eliminates the redirect_uri given example from facebook.

$ch = curl_init("https://graph.facebook.com/oauth/access_token?client_id=INSERT_YOUR_APP_ID_HERE&client_secret=INSERT_YOUR_APP_SECRET_HERE&grant_type=client_credentials");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_NOSIGNAL, 1);
curl_setopt($ch, CURLOPT_TIMEOUT_MS, 30000);
$data = curl_exec($ch);
$curl_errno = curl_errno($ch);
$curl_error = curl_error($ch);
curl_close($ch);

if ($curl_errno > 0) 
{
        echo "cURL Error ($curl_errno): $curl_error\n";
} 
else 
{
    echo $data;
}

outputs a public available access_token for showing to non facebook users. i.e a facebook page feed wall via graph api for websites. access_token=191648007534048|eVilnMh585rlQLZLvBAmqM6s-1g

phpfacebookoauth2facebook-accesstokenfacebook-oauth

Answer 11

you need to enter an actual values instead of the < app_id > and a secret value. the code is a unique value that you need to generate , and the redirect URL that you provide will then verify that the code is correct.