is it possible to access user's wall info without passing his/her access token?

Question

I wonder is it possible to access user's wall info without passing his/her access token?

for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.

Because I found some topics similar to that. http://forum.developers.facebook.net/viewtopic.php?pid=9172

When I check Rest FB doc,it says like that. http://restfb.com/javadoc/index.html public DefaultFacebookClient() Creates a Facebook Graph API client with no access token. Without an access token, you can view and search public graph data but can't do much else.

I doubt that it will work or not without access token. can everyone share me ideas or any possible similar approaches ?

Thanks.

Answer 1

You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.

There are two types of access tokens:

• Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
• Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.

Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.

The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)

Answer 2

Without token you can only access public information.

Public data

From RestFB homepage :

// It's also possible to create a client that can only access
// publicly-visible data - no access token required. 

FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();

If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.

Private data

When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :

FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());

By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.

Get the user token

You cannot get the user token with RestFB. On the RestFB homepage, you can read :

Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens

Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).

What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.

Hope that helps !