Ben Biddington

Whatever it is, it's not about "coding"

Posts Tagged ‘facebook

Whose leg do I have to hump to get a Facebook developers forum account?

with 4 comments

How does one go about registering for the Facebook developer forum?

Filling out the form

Produces “Could not open socket” error in Chrome and Firefox.

Facebook Connect

On the register screen there is a Facebook Connect option, but this does nothing in Chrome, and does not appear at all in Internet Explorer.

Firefox does produce the window, so I select yes or whatever but then I can still not sign in.

Then I ask for my password to be sent, only to be told there is no account for my address.

Okay, then I think perhaps I don’t need to sign in to access the forum. I sign in to facebook and revisit: still can’t do anything but read posts.

In other news

Interestingly I do have punBB listed on my Application settings screen.


Written by benbiddington

29 April, 2010 at 13:37

Posted in development

Tagged with , , , ,

Facebook Graph API — getting access tokens

with 73 comments

As described in the documentation it’s a fairly easy process — and it does not require any signatures.

For example, I have an application with an id 116122545078207, and I am using the URL of this blog ( to collect request tokens.

[update, 2010-04-29]

If ever there was a lesson to read specification and documentation carefully, this is it. Thanks to comments from Joshua Inkenbrandt, Alex and Gene Leybzon I realise why my examples don’t work as expected: I have been trying to use a mixture of web server and client_cred authentication flow.

As Gene rightly points out, I should have been using user_agent.

User-Agent Flow (with a web browser)

Following the instructions as specified in section, Client Requests Authorization, of the specification, this is a one-step process:

Open this in a browser:

Note: there are several options for scope. These are called extended permissions.

Note: unless you specify offline_access, your tokens will expire as soon as the user signs out of facebook.

Note: client_secret is not supplied:

[3.5.1.  User-Agent Flow] This user-agent flow does not utilize the client secret since the client executables reside on the end user’s computer or device which makes the client secret accessible and exploitable.

You’ll be redirected to:

And you have your access token, you can go ahead and use it:

According to section 3.5.1. Client Requests Authorization, because we have not supplied the optional secret_type:

    OPTIONAL. The access token secret type as described by Section 5.3.
    If omitted, the authorization server will issue a bearer token
    (an access token without a matching secret) as described by Section 5.2.

we have been issued a bearer token.

I think this refers to OAuth 1.0-style authentication using token secret. You’d only need one of those if you were requiring signed requests. This seems to contradict the part above about storing client secret on user agent.

Refreshing tokens

Section 3.5.1 describes that the access token may be delivered with an optional refresh_token fragment. On expiry, this token can be exchanged at the for a new access token. No refresh token is supplied by the Facebook API under User-Agent flow, meaning you’ll have to ask users to sign in again.

Using access tokens

Tokens with no session part

In some cases, like when using 3.7.1.  Client Credentials Flow, you’re issued a token with a missing session part.

Instead of this:


you get this:


These do work in some cases, but are rejected by some resources, for example:|EyWJJYqrdgQgV1bfueck320z7MM.

returns  error:

   "error": {
      "type": "QueryParseException",
      "message": "An active access token must be used to query information about the current user."

this is the same error you get when you request the same resource without supplying a token at all:

Note that these tokens do work against real resource identifer, i.e., without the me alias. For example, here I can use it against me (benbiddington).|EyWJJYqrdgQgV1bfueck320z7MM.

So the me alias only works in the case where we have a full token — the session part is required.

These tokens also work for accessing your insights (see analytics section):|EyWJJYqrdgQgV1bfueck320z7MM.

This is described in section 3.7.  Autonomous Client Flows:

Autonomous client flows are used to grant client access to protected resources controlled by the client (i.e. the client is the resource owner). For example, these flows are useful when a service provides both client-specific resources in addition to end user resources.

And more specifially, the Client Credentials Flow is described  in section 3.7.1:

The client credentials flow is used when the client acts autonomously without acting on behalf of a separate resource owner. The client secret is assumed to be high-entropy since it is not designed to be memorize by an end user.

Where a client is:

An HTTP client capable of making authenticated requests for protected resources using the OAuth protocol. [This is third-party application that wants to access a resource owner’s Facebook account.]

And a resource owner:

An entity capable of granting access to a protected resource. [This is the user who owns the Facebook account.]

[TBD: So what?]

Tokens, sessions and that

You can see more information about authentication flow by using a bogus redirect_uri, i.e., one that does not match the Connect URL setting in your application, e.g.:

Executing this gives error:

   "error": {
      "type": "OAuthException",
      "message": "Invalid redirect_uri: The Facebook Connect cross-domain
          receiver URL (http://localhost) must have the application's
          Connect URL ( as a prefix.
          You can configure the Connect URL in the Application Settings Editor."

But there is some information in the query string, that when decoded looks like this:

That session_key:


looks familiar, it’s the same as the code parameter used in web server authentication flow (Section 3.5.2), and it’s the same pattern as the second segment of an access token.


Where are my extended permissions?

It appears there is some problem with authorizing extended permissions.

For example, when I use the link in step (1) up there, I am prompted with the following screen:

That looks like the set I asked for, and so I select Allow.

But when I then inspect the extended permissions in my Application settings, all I see is this:

For some reason the only extra permission I have is email. And actually, did I even ask for Publish recent activity?

What is wrong here?


I can’t see my application in my Application settings screen

Make sure to choose Authorised from the show list on the Application settings screen.

The default view is Recently used which — certainly in my case — does not produce my application.

How do I know what permissions my application has?

Once you find the application in your Application settings list, press Edit settings and then select the Additional Permissions tab on the resultant dialog.

How do I de-authorise an application?

From your Application settings list, press the “x” button the right end of the row next to Application Profile link.

My access tokens only seem valid while a user is signed-in to facebook

You need to request offline_access permissions, e,g,:

otherwise your access tokens will expire as soon as the user signs out and you’ll get (at least with client):

    "error": {
        "type": "OAuthException",
        "message": "Error processing access token."


Written by benbiddington

23 April, 2010 at 13:37

Posted in development

Tagged with , , , ,