22

I can't make API requests with the Android Facebook SDK, or even get the user from the login callback - it always returns null.

Particularly, with the newMeRequest, I get the following error message:

{ "error": {
 "message": "API calls from the server require an appsecret_proof argument", 
 "type": "GraphMethodException", 
 "code": 100   } }

Actually, it seems pretty obvious, because the flag is set to true in the Facebook app options. However, I know it is possible, for the mobile sdks, to make API requests without the secret. However, if I try to use the access token from the currentSession in the Facebook Graph API Debugger, the response will be the same as above.

I don't know if this is related to the new Android Facebook SDK, but my code is basically the same as in the examples. The login goes nicely and I get the session token but I can't make any API requests...

loginButton.setUserInfoChangedCallback(new LoginButton.UserInfoChangedCallback() {
    @Override
    public void onUserInfoFetched(GraphUser user) {
        graphUser = user;
    }
});


Request.newMeRequest(currentSession, new Request.GraphUserCallback() {
    @Override
    public void onCompleted(GraphUser user, Response response) {
    }
    }
}).executeAsync();
brett rogers
  • 6,501
  • 7
  • 33
  • 43
dwbrito
  • 5,194
  • 5
  • 32
  • 48

4 Answers4

39

The only way that I was able to put it working, was by settings to No the App Secret proof for API calls in the advanced settings of the facebook App.

However, this is a fix, not a solve, since I wasn't able to do the request in the option set to Yes (as is possible in the iOS facebook sdk).

dwbrito
  • 5,194
  • 5
  • 32
  • 48
  • 1
    is this safe? What are the security risks that come from disabling that opt? – user2804865 Dec 06 '17 at 14:57
  • @dwbrito This option is disabled by default. I think this option "enhanced" the security. This doesn't mean your FB app "unsafe" if you turn this option off. – Will Huang Jul 04 '22 at 16:56
17

you need to add a parameter "appsecret_proof" to your request containg a 'sha256' hash of accessToken and appSecret

https://developers.facebook.com/docs/graph-api/securing-requests

lnx
  • 171
  • 1
  • 4
  • Strangely it looks like this is the url now https://developers.facebook.com/docs/graph-api/securing-requests%20/ I only say strangely, because not many urls have a %20 in them (other than that it's the same as your url)... – John Jul 13 '22 at 14:29
8

You need to disable Require App Secret in facebook app advance settings.

Donal
  • 6,082
  • 2
  • 19
  • 30
1

While not an actual answer to your question (since it doesn't involve the Android SDK), it seems that, as of March 2018, there still are some issues regarding the appsecret_proof and calls from web page (Javascript) / and possibly mobile (not sure about that) clients.

Facebook bug report (February 2018) - issue reappeared

Facebook bug report (October 2016)

Facebook bug report (February 2015)

That is, for an application with Require App Secret enabled App Dashboard > Settings > Advanced > Security > Require App Secret, it seems that one cannot perform API calls from Javascript without passing the appsecret_proof - at the moment of writing (March 2018).

Quick "fix" - disable the flag. Depending on the requirements, one may also choose to have two Facebook applications: one for web page / mobile calls (flag disabled), and one for server side calls (flag enabled).

turdus-merula
  • 8,546
  • 8
  • 38
  • 50