2

I'm really stuck on understanding the steps needed to integrate a plugin i'm building for Wordpress into facebook such that it can post to either the target user's wall or their fan-page wall.

Specifically i'm stuck with understanding OAuth2 and how to implement it. I'm no stranger to REST type API's but it seems some is done at client authentication level and some is done at server level for what I need.

Here's the scenario:

WP Admin downloads and installs plugin, visits configuration page inside wp-admin. Creates a facebook app to gain an AppID and App Secret and pastes them into the relevant boxes in the config screen in the wp-admin page. Authentication and authorisation to post to a wall is needed here Non-expiring token is needed so the server can perpetually do posts as part of its function without re-authenticating (unless the user manually breaks the link of course).

This is where I get stuck in the authentication and authorisation part.

I have a visible user-interactable page that the user clicks on the button to link to facebook.

Do I redirect the user here (taking them away from wp-admin) and then wait for them to return?

I understand that facebook returns a 'code' which I then exchange for a 'token' - is that right?

From some digging about i've discovered i'll need to ask for offline_access.

Once I have the token I think that I can understand the Graph API easily as i'll just pass credentials to facebook at each point I want to write a post.

I'll need to initially enumerate the pages the user is an admin of and allow the wp-admin to then select a specific page from the list - I guess that's also in Graph API as well.

Please can you help de-mistify the authentication/authorisation system, i'm totally new to OAuth2 and never touched the original OAuth either.

Theoretically as i'm in a web-client at the authorisation point I could use the Javascript SDK and use AJAX to update the back-end server maybe?

Thanks in advance. James

JamesB
  • 499
  • 8
  • 23

1 Answers1

2

Your basic understanding is correct. You need to direct the user away from your page and towards a Facebook Authorization URL that lets them grant access to your application so that it can post on their behalf. As part of that process you specify a Callback URL, to which the user will be return once they have granted access to your application. The end result of the process is that an access token is returned to your application.

Here's a great resource that explains exactly what's involved in the various flavors of OAuth that are in use (note: Facebook supports OAuth 2.0):

https://github.com/Mashape/mashape-oauth/blob/master/FLOWS.md

If you're looking for help coding Facebook OAuth in PHP you should check out how Temboo simplifies the process - details at the link below:

https://www.temboo.com/library/Library/Facebook/OAuth/

(Full disclosure: I work at Temboo)

Cormac Driver
  • 2,511
  • 1
  • 12
  • 10
  • Thanks, that helped a lot, i've had a little time to re-read all the docs this afternoon and when you confirmed I was on the right direction I was able to write a really simple test to authenticate, enumerate pages and write a post to a test page wall. What i'm concerned about is the expiring access token with offline_access being deprecated now. My wordpress plugin won't be able to re-authenticate when the token expires - OR - do I re-request a new token each time it posts to the relevant page using the fb_exchange_token? As long as the app doesn't go dormant it won't be a problem? – JamesB Apr 16 '13 at 17:03
  • You'll need to have the user redo the OAuth process when the token expires. The best way to handle this is to immediately exchange your access token for a long-lived access token by making a request to https://graph.facebook.com/oauth/access_token?client_id={your_client_id}&client_secret={your_client_secret}&grant_type=fb_exchange_token&fb_exchange_token={existing_access_token} This will return a long-lived token that's valid for 60 days. When that expires, you'll need to reinitialize the oauth process. – Cormac Driver Apr 16 '13 at 18:27
  • That's what I read in the documentation, it just seems ludicrous that everyone's applications would effectively stop working every 60 days in this way. Now, I realise that if you redirect them through the login process because they've already accepted the application it'll be silent but i'm unsure how to do this in a server app as the admin of the site may not revisit the plugin admin page again which is who's account is connected to facebook. – JamesB Apr 17 '13 at 08:19
  • To clarify, the posts will go to the plugin user's wall created by users of the plugin (effectively authorised 3rd party post to a wall). Thought: What if I write a silent token update handler? First time auth is done in a real browser to ensure proper acceptance. At the point that a write is done, do a cURL GET of /dialog/oauth with redirect_uri= set to a silent callback page which actually does the post using any new access token given. The page ID won't change so as long as I pass new access token to //accounts i'll be able to make a post - does this sound right? – JamesB Apr 17 '13 at 09:10
  • That certainly sounds like it's worth a try James, but I can't say for sure as I don't have experience with following that exact approach. – Cormac Driver Apr 17 '13 at 12:41
  • I've given it a try and I can say it doesn't work, the logic is sound but because the server will make the request from another IP and not have adequate session info. A token based API call is fine so long as you already have a token. I've spotten another question here and asked about the exchange system http://stackoverflow.com/questions/9329564/facebook-60-day-access-token-and-deprecated-offline-access still quite confusing. – JamesB Apr 17 '13 at 15:58