1

In my PHP application, users provide their own Facebook Application ID and Application Secret. I need to validate them and display nice error if they are invalid.

I already found a nice way to do it. I can make a request to https://graph.facebook.com/oauth/access_token?client_id=123456&client_secret=abcdefg&grant_type=client_credentials

If credentials are invalid, the response is as follows:

{
   "error": {
      "message": "Error validating application. Cannot get application info due to a system error.",
      "type": "OAuthException",
      "code": 101,
      "fbtrace_id": "D8oHjJoc2Nc"
   }
}

I'm confused about the ways to do it with PHP SDK. There's a neat get() method to make such a request, but I'm not sure how to send request without authorizing the application. This is what I did:

$app = new Facebook\FacebookApp( $app_id, $app_secret );

$access_token = $app->getAccessToken();

$query = http_build_query([
    'client_id'     => $app_id,
    'client_secret' => $app_secret,
    'grant_type'    => 'client_credentials',
]);

$facebook = new Facebook\Facebook( [
    'app_id' => $app_id,
    'app_secret' => $app_secret,
    'default_graph_version' => '2.5',
] );

$response = $facebook->get( '/oauth/access_token?' . $query, $access_token );

I'm getting the following error:

Unknown path components: /oauth/access_token

But even if it worked, it's strange to call it with any sender credentials. Is it possible to make an "anonymous" Facebook request with PHP SDK?

Robo Robok
  • 21,132
  • 17
  • 68
  • 126
  • As far as I know, this is not possible. You need an authorized app to make a request. – Stavros Dec 01 '15 at 16:18
  • The combination of app id and app secret with a pipe symbol in the middle can be used as app access token – so you could just build that, and then [debug](https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling#debug) it to check whether it is a valid access token. Or just make a simple API request with that token, and see what response you get. – CBroe Dec 01 '15 at 16:40
  • @CBroe , can you explain further what you mean exactly with "combination of app-id, app-secret? sth like this: app-id|app-secret? – Stavros Dec 01 '15 at 17:03
  • @Stavros This isi the convention currently. Application access token is APP_ID|APP_SECRET. But I prefer to get it from the SDK anyway, in case something changes. Those methods mentioned by CBroe will work, just like mine, but it's still undoable from SDK without app as a sender I think. I prefer my method. – Robo Robok Dec 01 '15 at 17:22
  • @Stavros yes, exactly; see also http://stackoverflow.com/a/12951233/1427878 – CBroe Dec 01 '15 at 17:34

1 Answers1

1

The SDK implicitly adds the API version number specified to the path in -> get(), so I think that's causing your error here because the underlying call is being made to /2.5/oauth/access_token (fails for me in a browser)

It should be /v2.5/oauth/access_token (works for me in a browser)

Update default_graph_version to v2.5 and try that

Igy
  • 43,710
  • 8
  • 89
  • 115