Handling invalidated access tokens
Last week, we reminded you how you should handle invalid access tokens. This is an important concept to understand as there are several legitimate reasons an access token can become invalid such as:
Even if you have the offline_access permission from the user, your token can still be invalidated. You should ensure you application is built to handle these scenarios.
New PHP SDK
Today we upgraded the PHP SDK to version 3.0.0. Be sure to read our blog post which explains the changes as well as when you should consider upgrading. Version 2 of the PHP SDK will no longer work come September 1st as we will be requiring all apps to use the new OAuth flows.
Client-side re-authentication flow
A couple weeks ago we introduced a server-side way for you to force a user to re-enter their password to confirm their identity (e.g. before making a purchase on a shared computer). We now have a way to perform re-authentication on the client side as well. To get started, check out the example below or see the documentation.
<html> <head></head> <body> <div id="fb-root"></div> <button id="fb-login" onclick="login()">Login</button> <script> var button = document.getElementById('fb-login'); // For help with AJAX, see http://www.w3schools.com/Ajax/Default.Asp function checkNonce(access_token) { var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if (xmlhttp.responseText == 1) { console.log('The user has been successfully ' + 're-authenticated.'); } else { console.log('The nonce has been used before. ' + 'Re-authentication failed.'); } } } xmlhttp.open('POST','checkNonce.php',true); xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xmlhttp.send('access_token=' + access_token); } function login(){ FB.login(function(response) { if (response) { console.log('Login success. Checking auth_nonce...'); checkNonce(response.session.access_token); } else { console.log('Login cancelled.') } }, { auth_type: 'reauthenticate', auth_nonce: 'abcd1234' }); } window.fbAsyncInit = function() { FB.init({appId: 'YOUR_APP_ID', status: true, cookie: true, xfbml: true}); FB.getLoginStatus(function(response) { if (response.session) { button.innerHTML = 'Re-Authenticate'; console.log('User is logged in.'); } else { console.log('User is not logged in.'); } }); }; (function() { var e = document.createElement('script'); e.async = true; e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js'; document.getElementById('fb-root').appendChild(e); }()); </script> </body> </html>
checkNonce.php
<?php $access_token = $_REQUEST['access_token']; $graph_url = 'https://graph.facebook.com/oauth/access_token_info?' . 'client_id=YOUR_APP_ID&access;_token=' . $access_token; $access_token_info = json_decode(file_get_contents($graph_url)); function nonceHasBeenUsed($auth_nonce) { // Here you would check your database to see if the nonce // has been used before. For the sake of this example, we'll // just assume the answer is "no". return false; } if (nonceHasBeenUsed($access_token_info->auth_nonce) != true) { echo '1'; } else { echo '0'; } ?>
Old Insights Dashboard
As previously announced, we will remove the old version of the Insights dashboard on Tuesday as all the metrics that were previously available are now available in the new Insights dashboard.
Improving Docs
Documentation activity for the past 7 days:
Fixing Bugs
Bugzilla activity for the past 7 days:
Forum Activity
Developer Forum activity for the past 7 days:
Yasser Shohoud, a Partner Engineer on the Developer Relations team, is looking forward to seeing how you use the re-authentication feature to create safe, seamless user authentication flows.
As part of our Developer Roadmap update requiring all apps to use OAuth 2.0 and HTTPS, we planned to make available an updated PHP SDK that uses OAuth 2.0. Although we originally planned to release the PHP SDK on July 1st, we moved fast and completed the update to version 3.0.0. This SDK is now available for download on GitHub.
The new PHP SDK (v3.0.0) is a major upgrade to the older one (v2.2.x):
If you’re currently using the PHP SDK (v2.2.x) for authentication, you will recall that the login code looked like this:
$facebook = new Facebook(…); $session = $facebook->getSession(); if ($session) { // proceed knowing you have a valid user session } else { // proceed knowing you require user login and/or authentication }
The login code is now:
$facebook = new Facebook(…); $user = $facebook->getUser(); if ($user) { // proceed knowing you have a logged in user who's authenticated } else { // proceed knowing you require user login and/or authentication }
Download the full example here. The red text below indicates changes from the earlier example.php (v2.2.x):
<?php require 'facebook.php'; // Create our application instance // (replace this with your appId and secret). $facebook = new Facebook(array( 'appId' => 'YOUR_APP_ID', 'secret' => 'YOUR_APP_SECRET', )); // Get User ID $user = $facebook->getUser(); // We may or may not have this data based // on whether the user is logged in. // If we have a $user id here, it means we know // the user is logged into // Facebook, but we don’t know if the access token is valid. An access // token is invalid if the user logged out of Facebook. if ($user) { try { // Proceed knowing you have a logged in user who's authenticated. $user_profile = $facebook->api('/me'); } catch (FacebookApiException $e) { error_log($e); $user = null; } } // Login or logout url will be needed depending on current user state. if ($user) { $logoutUrl = $facebook->getLogoutUrl(); } else { $loginUrl = $facebook->getLoginUrl(); } // This call will always work since we are fetching public data. $naitik = $facebook->api('/naitik'); ?> <!doctype html> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <title>php-sdk</title> <style> body { font-family: 'Lucida Grande', Verdana, Arial, sans-serif; } h1 a { text-decoration: none; color: #3b5998; } h1 a:hover { text-decoration: underline; } </style> </head> <body> <h1>php-sdk</h1> <?php if ($user): ?> <a href="<?php echo $logoutUrl; ?>">Logout</a> <?php else: ?> <div> Login using OAuth 2.0 handled by the PHP SDK: <a href="<?php echo $loginUrl; ?>">Login with Facebook</a> </div> <?php endif ?> <h3>PHP Session</h3> <pre><?php print_r($_SESSION); ?></pre> <?php if ($user): ?> <h3>You</h3> <img src="https://graph.facebook.com/<?php echo $user; ?>/picture"> <h3>Your User Object (/me)</h3> <pre><?php print_r($user_profile); ?></pre> <?php else: ?> <strong><em>You are not Connected.</em></strong> <?php endif ?> <h3>Public profile of Naitik</h3> <img src="https://graph.facebook.com/naitik/picture"> <?php echo $naitik['name']; ?> </body> </html>
When to upgrade
If you are only using the PHP SDK for authentication, please upgrade now. If you are using the JavaScript SDK for login in conjunction with the PHP SDK, you will want to wait for the JavaScript SDK upgrade (coming in 4 weeks). Version 3.0.0 of the PHP SDK won’t cooperate with the current JavaScript SDK due to the cookie format changing.
Below is a table to help you remember when to begin upgrading:
Login Flow | Upgrade |
PHP SDK for login and API calls | Now |
JS SDK for login and PHP SDK for API calls | 4 weeks |
JS SDK for login and API calls | 4 weeks |
To learn more about the OAuth 2.0 flow and how to implement OAuth with CSRF protection, please read our Authentication Guide. All apps must utilize the new OAuth flows by September 1.
If you have any questions or feedback on this release, please leave them in the Comments Box below.
We introduced the Preferred Developer Consultant (PDC) program in December 2009 to connect companies and brands to the resources they need to build with Facebook products and technologies.
This February, we opened up a new round of submissions for the PDC program. As businesses across the world look to get smarter about integrating Facebook, we seek to ensure that the PDC program continues to meet these needs everywhere that people use Facebook. We’ve selected 25 new companies, including 13 internationally-based companies, to join the PDC program. Our 90 PDCs now span across 170 offices and dozens of countries, with 67 offices outside of the US. You can visit the directory to see the full list of Preferred Developers. Please join us in welcoming to the program:
As this program expands across the globe, finding a Preferred Developer in your local area becomes more important. Today we’re proud to announce our revamped Preferred Developer Lookup Tool. Designed and built by Gamaroff Digital, a PDC, the tool allows you to look up PDCs by expertise, location, and any keyword. It’s an excellent way to quickly locate the Preferred Developers that can best serve your needs.
What separates a PDC from most other development firms is the ability to understand social mechanics and technical possibilities on Platform. We’re excited to see the vibrant ecosystem of development, especially as this space of social web integrations expands to become a central aspect of every business and market worldwide.
For more information about the PDC program, including case studies and information on applying to be a PDC, please visit our PDC directory.
Matt wants to see more companies with socially designed products.
This week, we announced an update to our Developer Roadmap that outlines a plan requiring all apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1. We also added two frequently requested How-To guides.
Subscribing to comment threads in the Comments Box
We added the ability to subscribe and unsubscribe from specific comment threads in the Comments Box. If you are interested in a particular part of the conversation, just click the subscribe link, and you'll receive a notification when others reply on thread. Similarly, you can unsubscribe to stop the notifications.
Like Story Feedback now available in Insights
Last month we expanded the story size that is shown when a user Likes a page on your site. We've now added a "Like Story Feedback" dashboard to Insights for your website. This dashboard shows you engagement data such as how many users liked and commented on these stories:
Using this data you can work on generating more interesting stories to fuel the conversation around your content.
API access to Send button metrics
You can now query the Graph API and the Insights FQL table for metrics on Send button activity. When a user engages with the Send button, one or more of the following sequence of actions occurs: the user views the button, then clicks on it, the receiver then views the item in their Messages, and clicks on it. These actions correspond to the following metrics that can be requested via the Graph API or the FQL table:
Each of these metrics is aggregated based on a domain claimed by your application. The FQL Insights documentation contains further details and the list of all available metrics. Here is some example code to retrieve the number of Send button views for a domain for the last three days (the default, see docs for other options):
<?php $app_id = "YOUR_APP_ID"; $app_secret = "YOUR_APP_SECRET"; $app_domain = "YOUR_APP_DOMAIN"; // e.g. developers.facebook.com // First, get a valid access token for the app $token_url = "https://graph.facebook.com/oauth/access_token?" . "client_id=" . $app_id . "&client;_secret=" . $app_secret . "&grant;_type=client_credentials"; $app_access_token = file_get_contents($token_url); // Query the Graph API for the send views $graph_url="https://graph.facebook.com/insights/" . "domain_widget_send_views?" . "domain=" . $app_domain . "&" . $app_access_token; $response = file_get_contents($graph_url); // Use the results echo "<pre>"; echo print_r(json_decode($response)); echo "</pre>"; ?>
Reference Documentation
As part of Operation Developer Love, we continue to improve our documentation. This week we updated the Album reference documentation for the Graph API. We plan to update the other Graph API reference docs based on this "template", so please let us know in the comments what you think about it. We will be adding information about errors relevant to the Graph API soon.
Improving Docs
Documentation activity for the past 7 days:
Bugzilla activity for the past 7 days:
Developer Forum activity for the past 7 days:
Zhen Fang, on the Developer Relations team, wants to see metrics of how many people sent this post to a friend with the Send button.