I'd like to get an access token without user login.
Standard way is that the user logs in and gets an access token.
But I need the access token to view events of an official page. When I try without access token, the Graph API gives me the following error:
{
"error": {
"message": "An access token is required to request this resource.",
"type": "OAuthException",
"code": 104
}
}
So my question: Is there any way to get an access token without explicitly logging in or is there maybe another way to get event information without access token?
Thanks so far :)
You can get the never-expiring-access-token for your page and use that with your call. (without explicitly logging, since you are the admin of the page). Follow the 2 steps: get the extended user (admin) token and then the never expiring page token
Extending the user's access token
You can exchange the user's access token with the long-lived access token (2-months) validity. Go though the link to get the long-lived token.
Extending tokens
Extending the page's access token
Make the following call using the long-lived user's access token and permission: manage_pages you obtained in the above step-
$facebook->api("/PAGE_ID?fields=access_token");
You'll get the never-expiring-page-token with this.
(You can use Facebook's Debug Tool to check the validity of the token)
Have a look at this site this websites talks all about Acess Tokens
Related
I am using retrofit 2.0 to build a Bitbucket REST client on Android.
As far as I'm concerned, OAUTH2.0 provides "Implicit grant" which gives the client the access Bearer token immediately when the user logins to their account when are prompted to.
Bearer tokens are tokens that can be used to access protected resource. Anyone who has a bearer token has the permission to access the protected resource as anyone else who also has the bearer token. (according to this doc from IETF)
Please correct me if I'm wrong, but I thought using implicit grant, after user logins in their Bitbucket account, I will have the Bearer access token. After that, I can use this access token to access protected resource on Bitbucket (like create a new repository).
So I have built my android using the OAUTH2.0 Implicit grant as described in the Bitbucket doc. Note that they described the response will have #access_token={token}&token_type=bearer
And this is what I actually received from Bitbucket after logging in:
your://redirecturi#access_token=lEuvneW39onVrnNR-jvZfirI43fwi5Wdc0YaaMROBk5YKJsd2ulXm20vJDdOBjf8I-Ne2r2vC8-_FHECSLw%3D&scopes=pipeline%3Awrite+webhook+snippet%3Awrite+wiki+issue%3Awrite+pullrequest%3Awrite+repository%3Adelete+repository%3Aadmin+project%3Awrite+team%3Awrite+account&expires_in=3600&token_type=bearer
My first question:
What exactly is the Bearer access token from the above response?
Is the part lEuvneW39onVrnNR-jvZfirI43fwi5Wdc0YaaMROBk5YKJsd2ulXm20vJDdOBjf8I-Ne2r2vC8-_FHECSLw the Bearer access token? Do I have to include the "%3D" (which is the char "=" encoded in ASCII)? Doesn't the Bitbucket doc mean that everything exceptfor the last "&token_type=bear" is the Bear access token?
That's not all. Bitbucket doc's instruction to make request as follow:
Send it in a request header: Authorization: Bearer {access_token}
So I set this request up to create a new repository in accordance with the API of Bitbucket:
#POST("repositories/{username}/{repo_slug}")
Call<Repository> createRepository(
#Header("Authorization") String auth,
#Path("username") String userName,
#Path("repo_slug") String repoSlug);
But everytime, I got the respones with status code 401 and message error:
Access token expired. Use your refresh token to obtain a new access token.
When I tried to POST the same request using DHC by Restlet (a chrome extention like Postman), a pop up appears and requires me to login to Bitbucket. If I refuse to do so, I got the same error 401 response. If I do login, then it works.
My second question: Why do I have to provide my credentials again?
I think there's something wrong here. I thought with the Bearer access token, I should be able to access the protected resource without having to log in before the access token's expire time has been reached. Why do I have to enter my credentials the second time? This is not what is described in the "Implicit grant" approach here by IETF.
The value of the access_token starts after access_token= and ends before the next parameter scopes so before &scopes=. The formatting of the fragment part is specified in https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 which in its turn points to https://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.13.4.1 which says:
[...] The name is separated from the value by = and name/value pairs
are separated from each other by & [...]
So your access token value by spec is lEuvneW39onVrnNR-jvZfirI43fwi5Wdc0YaaMROBk5YKJsd2ulXm20vJDdOBjf8I-Ne2r2vC8-_FHECSLw%3D but I agree that the ending %3D is suspicious and may be an error on the sender's part.
If your access token is expired (which is what it seems to be) you need to get a new one using the Implicit grant again, or using the Refresh token grant.
I am trying to implement Google Sign in OAuth 2.0, but I have inquiry why the token returned from the method getIdToken() is very too long such as the following:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ1ZWViYzRjOWY5NGVkMzVhYWE5YTdiZTUyYzM0YTNmZDUwZGQ4ODkifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhdWQiOiI1NTc5ODE0OTE1NDItc3RkcGEwY3JmOWNvMXBvNW1pZW9pczEyZG1wcnJzcDQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDM2MjY1NDEwNDQxOTYxNTY5NjEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTU3OTgxNDkxNTQyLWoxdW5zZThhbmNtY2E2NzVnaW1hbWwzaDRpYzFwMnI2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtYWhtb3VkLmlicmFoaW0wMTZAZ21haWwuY29tIiwiaWF0IjoxNDY1MTQxNTMwLCJleHAiOjE0NjUxNDUxMzAsIm5hbWUiOiJNYWhtb3VkIElicmFoaW0iLCJwaWN0dXJlIjoiaHR0cHM6Ly9saDQuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1PTGZKM1JKazFjYy9BQUFBQUFBQUFBSS9BQUFBQUFBQUFCNC83anpkeTZnVkdwUS9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiTWFobW91ZCIsImZhbWlseV9uYW1lIjoiSWJyYWhpbSIsImxvY2FsZSI6ImVuIn0.FCsDYU7S8TEKrbm6VxBVXaJlLzrzPuXTP_z14RMIzMZohWNOpHwLYFQivkzy1mC6KJ67qECv0MI5Ap14R2vkxr7XtU9dyZH6oWBvDOgW6KYyBazEi5214Rp-uUeFXDEDFIY_mSOaS0mjlU8N9UxZfr4zIRY6R1p2JI4l1RWOb_rid8bT4gNpA6LFeop9BtmaOeSSuOfmLheqw5Uz3Ws2WCGdu857-rTZc3W5ywfbckvkZN72CRgrKUAeRbcHuGndX83NRpBFdHChXr4FIVT3tWWjiMRsCxLTvDNxXClV269IP9tXELhqNBACdPEX60hRX-DgXPSGl9SQ85IY090nuQ
Google Signin produces a compact serialized JSON Web Token (JWT, https://www.rfc-editor.org/rfc/rfc7519) to represent the authenticated user. That token is self-contained and contains information about the user in a verifiable way. You can verify that your token is a valid JWT at: http://jwt.io So yes, it is a valid token and it gets very large as more information is embedded in it.
Situation
I have simple android app where user gets data from Google Fusion Tables with REST api. For this I was using OAuth 2 authorization to get Access Token and Refresh Token. I have web view in my app which will show login screen as well as consent screen. I was planning to get access token from web view and use it for further API calls. I am using retrofit to execute my http calls. I use following query parameters,
"client_id" = CLIENTID
"client_secret" = SECRET
"code" = 4/XXXXXXXXXX //Code got from redirect url
"grant_type" = "authorization_code"
"access_type" = "offline"
"approval_prompt" = "force"
"redirect_uri" = REDIRECT_URL
So far so good. But when I exceute post request with above query parameters, I get following response,
{
"access_token": "ya29.XXXXXXXXXXXXXX",
"token_type": "Bearer",
"expires_in": 3599,
"id_token": "XXXXXXXXXX"
}
Question
Where is refresh token? I need refresh token because I couldn't do API call through app later on with access token and I don't want user to get access token every time.
What I have tried
I have already followed instructions from this post and have tried revoking permission to application from settings. I have also tried using different google accounts in case there was some permission issue, but still no luck. I have also tried removing query parameter "approval_prompt" and "grant_type" but that also didn't help.
I got answer after searching and banging head for 5-6 hours. This answer saved me! Answer to people looking for this in future,
Add "access_type" = "offline" query while requesting for access token rather than exchanging, i.e. in URL which asks for consent.
Instead of specifying grant_type=offline in the authorization request, you need to provide access_type=offline to request a refresh token.
There is somthing that i can't understood. I'm trying to writte a simple app in android to post twitt's into my account. I registered my app in dev.twitter. There i got an api(consumer) key/secret, and access token/access secret pairs. BUT, as in the example, i must use setOauthConsumer(cons key, cons secret) then, after that in the app I must use get getOAuthAccessToken to get oauth access token. But i'm alredy have this(!), so i can use acces token and secret directly, or what?
p. s. i know twitter4j.org examples, and i can use other resources, but i cant find the answer, so i'm posting here
i must use setOauthConsumer(cons key, cons secret) then, after that in
the app I must use get getOAuthAccessToken to get oauth access token.
But i'm alredy have this(!), so i can use acces token and secret
directly, or what?
We need the following 4 values for every request to twitter API:
Consumer key
Consumer Secret
Access Token
Access Token Secret
You already have the following values:
Consumer key
Consumer Secret
Access Token & Access Token Secret are fetched in following two ways:
Case 1: Configuration required for app-only auth, to fetch the twitter feeds even
without Logging in to twitter account.
As you have not logged in, the twitter4j gives the OAuth2Token (access token and token secret) using getOAuth2Token();
Then you use these values in your configuration of Twitter instance. No need to store these values. You can get them using getOAuth2Token() for every request.
Case 2: When you login using your credentials.
In this case, the request is sent to Twitter API to get access token and access token secret (values are generated at the time of registering your application on Twitter).
Once you get these values, store it in SharedPrefernces and use them in subsequent requests. No need to request them again and again.
I hope this helps you.
Is it possible to authenticate the user on server side using auth token retrieved by Android applicaton from Facebook?
In other words Android application uses SSO and obtain auth token. Then sends this token to backend application deployed on Google App Engine. Then backend application verifies the user against Facebook using the token.
I guess it's not feasible because retrieved token can be used only by Android application, but who knows? Maybe it may be reused somehow?
The Token you get from Android API can be sent to your server, who can check the validity of the token by querying the graph ( using /me?auth_token=.... for example).
The problem is that the same token can be used by any third party - it's not client specific - and so if you base server identification based on that, you have a problem (since a third app could use its user token and get authenticated by you). I am trying to find a way to solve this issue, but I don't have good ideas yet...
Facebook actually has an Android SDK that lets you do this. Information can be found here.
Yes you can. A valid access token is a valid access token. The Graph API does from where the token came, but only that the token has the appropriate permissions to access that portion of the graph api. Keep in mind, though, that the token is only valid for 24 hours from the time of its issuance. (is that really a word?) From the time it is issued?
When using facebook android sdk with SingleSignOn (SSO), the access token format actually changed.
Instead of getting traditional auth token which contains userid & session key as a part of authToken
now we get a different format of authToken
As Facebook Devs are still in process to support there rest apis with newly formated access token
meanwhile we can disable the SSO on android facebook sdk by changing DEFAULT_AUTH_ACTIVITY_CODE to -1 from 32665 (in Facebook.java)
This will invoke Traditional dialouge for granting acess token and in return you'll get access token which will contain session key in it.
Those who are looking for generating secure session key you need to add your own method in Facebook.java like
public String getSessionSecret(String accessToken) throws MalformedURLException, IOException
{
Bundle b = new Bundle();
b.putString("method", "auth.promoteSession");
b.putString("access_token", accessToken);
b.putString("session_key_only", "true");
String response = request(b);
return response;
}