6

According to Facebook - Authentication within a Canvas Page Document, they say that we will be getting a signed_request which consists a JSON object. Now they say that signed_request can be get through $_POST['signed_request'] I agree its working for me.

Now according to them if the user is logged in i will be getting a JSON object value like this:-

{
  "expires":UNIXTIME_WHEN_ACCESS_TOKEN_EXPIRES,
  "algorithm":"HMAC-SHA256",
  "issued_at":UNIXTIME_WHEN_REQUEST_WAS_ISSUED,
  "oauth_token":"USER_ACCESS_TOKEN",
  "user_id":"USER_ID",
  "user":{
    "country":"ISO_COUNTRY_CODE",
    "locale":"ISO_LOCALE_CODE",
    ...
  }
}

Now i want to fetch the user_id out of this so i am using this piece of code but its not working:-

if(isset($_POST['signed_request']))
{
    echo 'YES';
    $json = $_POST['signed_request'];
    $obj = json_decode($json);
    print $obj->{'user_id'};    
}

It just print the YES. Why is it so?

I have read somewhere that without app authentication i will not be able to extract the user_id but according to the facebook, this is the 1st step and authenticating the application would be 4th. I am new to it, if somebody can please help me, it will be of great help. Thanks.

Django Anonymous
  • 2,987
  • 16
  • 58
  • 106
  • If you do a `print_r($_POST)`, what do you see? – Brad Aug 15 '12 at 16:35
  • What do you actually see when you try `print_r($_POST)`? – Brad Aug 15 '12 at 16:38
  • @Brad when i `print_r($_POST['signed_request']);` i get exactly this value `cnMQQpKShmtfcXXEAjNrazO7AZxAqCuZ0aIA-k1L-P8.qgytuisdhrl0aG0iOiJITUFDLVNIQTI1NiI‌​sImV4cGlyZXMiOjEzNDUwNTM2MDAsImlzc3VlZF9hdCI6MTM0NTA0ODYwOCpoemi1dGhfdG9rZW4iOiJB‌​QUFFOGZCWW1sN2NCQUJHVWZIb1VZUGdMcngwdjBURFlSdVFiNHNQR2pSMDRUNnZKZHkzWkFYU2RBYWNiV‌​nFtMHJRZTFKZ2lrWkFRWkFJR2RPb0JuQ0JiVGxLOGpuUXlCSVpDWkJsWHdzWG5XbHg5VVZEV1dkIiwicG‌​FnZSI6eyJpZCI6IjI2OTY3MDc5NjQ4MDcxOCIsImxpa2VkIjpmYWxzZSwiYWRtaW4iOmZhbHNlfSwidXN‌​lciI6eyJjb3VudHJ5IjoiaW4iLCJsb2NhbGUiOiJlbl9JTiIsImFnZSI6eyJtaW4iOjIxfX0sInVzZXJf‌​aWQiOiIxNTc2NDU1NjQ5In0` – Django Anonymous Aug 15 '12 at 16:39
  • try using `$signed_request = $facebook->getSignedRequest();` – Abhishek Aug 15 '12 at 16:52

3 Answers3

8

If you don't want to work with the FB SDK you can use this snippet of code to get the user_id and other variables (snippet from https://developers.facebook.com/docs/facebook-login/using-login-with-games/)

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

  // decode the data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // confirm the signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}
Art Geigel
  • 1,915
  • 3
  • 22
  • 24
  • This is super effective and easy to implement. Just be careful with the app secret in code. – Mike_K Jan 09 '20 at 19:48
  • This will work. It is recommended for implementing new "request for data deletion" too, but it is hard to achive in C# as facebook base64 encoding is not standard. – Marko Prcać Jul 09 '21 at 11:48
4

Old post I know but wanted to add a reply to Art Geigel's answer (I can't comment directly on it).

Your code snippet is missing the line,

   $secret = "appsecret"; // Use your app secret here

and the complete snippet,

function parse_signed_request($signed_request) {
   list($encoded_sig, $payload) = explode('.', $signed_request, 2); 

   $secret = "appsecret"; // Use your app secret here

   // decode the data
   $sig = base64_url_decode($encoded_sig);
   $data = json_decode(base64_url_decode($payload), true);

   // confirm the signature
   $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
   if ($sig !== $expected_sig) {
      error_log('Bad Signed JSON signature!');
      return null;
   }

   return $data;
}

function base64_url_decode($input) {
   return base64_decode(strtr($input, '-_', '+/'));
}

To answer the original question

To get data from the signed_request, include the functions above and...

$data = parse_signed_request($_POST['signed_request']);

echo '<pre>';
print_r($data);
Steve
  • 1,853
  • 16
  • 30
2

I think it failed at json_decode($json) because $json is not a valid json string, as you've mentioned in comment about print_r($_POST['signed_request']);.

According to Facebook - Authentication within a Canvas Page Document, the signed_request parameter is encoded and, parsing the signed_request string will yield a JSON object.

if you're using the PHP SDK, just as Abhishek said in the comment, $facebook->getSignedRequest(); will give you the decoded json.

look here for more details on the Signed Request

Chris
  • 1,094
  • 1
  • 11
  • 26