[Facebook] Authentication

• Uses the OAuth 2.0 protocol for authentication and authorization.
• Support for Website, mobile and desktop apps.

Supports two different OAuth 2.0 flows for user login

• Server-side
• The authentication code flow in the specification.
• Used whenever you need to call the Graph API from your web server.
• Client-side
• The implicit flow.
• Used when you need to make calls to the Graph API from a client.
• ex: JavaScript running in a Web browser or from a native mobile or desktop app.

Implementation of the OAuth 2.0 involves three different steps

• User authentication
• Ensures that the user is who they say they are
• App authorization
• Ensures that the user knows exactly what data and capabilities they are providing to your app.
• App authentication
• Ensures that the user is giving their information to your app and not someone else.

Server-side Flow

• User authentication and app authorization are handled at the same time by redirecting the user to our OAuth Dialog.
• https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=email,read_stream
• If user login and allow your app permissions and then redirect to your redirect_uri.
• http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER
• With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.
• In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token.
• https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
• The diagram below illustrates the HTTP calls made through the server-side flow:

Client-side Flow

• Also uses the OAuth Dialog for user authentication and app authorization. The only difference is that you must specify the response_type parameter with a value of token:
• https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&response_type=token
• If returned
• http://YOUR_URL#access_token=166942940015970%7C2.sa0&expires_in=64090
• Because the access token is passed in an URI fragment, only client-side code (such as JavaScript executing in the browser or desktop code hosting a web control) can retrieve the token.
• The diagram below illustrates the HTTP calls made through the server-side flow:

Alternate Redirect URIs

• Specifying additional App Domains for your app is useful for redirecting users to other servers for geographic distribution of load.
• When redirect_uris are specified in the authentication flows, the user is normally redirected to a path under the Site URL that you specify in the Basic Info section on the Summary tab in the Developer App. 
• However, you can override this behavior and redirect to one or more other related or sub-domains by specifying each domain name in the App Domain field in the Basic Info section of the Summary Tab in the Developer App

You can log a user out of their Facebook session by directing them to the following URL:
https://www.facebook.com/logout.php?next=YOUR_URL&access_token=ACCESS_TOKEN


Also support

• App Login
• Page Login

Cross Site Request Forgery (CSRF)

• Cross site request forgery is an attack in which a trusted (authenticated and authorized) user unknowingly performs an action on website.
• To prevent this attack, you should
• Pass an identifier in the state parameter
• Validate the state parameter matches on the response. 
• We strongly recommend that any app implementing Facebook user login implement CSRF protection using this mechanism.

Related
[Security] OAuth and OpenId


* Reference
- Authentication

[Facebook] Graph API - Real-time Update

The Graph API 提供 subscriptions API 訂閱資訊功能，讓 Application 能即時收到這些資訊的更新。

Here are the steps to set up a subscription:

• Set up an endpoint URL that receives both HTTP GET (for subscription verification) and POST (for actual change data) requests from Facebook.
• Make a POST to the graph API url https://graph.facebook.com/APPLICATION_ID/subscriptions to subscribe, and be ready to handle the verification request.

• When data changes, and there is a valid subscription, Facebook servers will make an HTTP POST request to the callback_url you specified. 
• The request will have content type of application/json; the body will be a JSON-encoded string containing one or more changes.
• Note that this does not include the actual data values;
•  Facebook aggregates changes and sends batched updates every 5 seconds or when number of unsent changes exceeds 1000, so your server(s) should be set up to handle this level of load.

You can currently subscribe to updates for these types of objects:

• user
• Get notifications about particular fields and connections corresponding to user nodes in the Graph API.
• permissions (FQL)
• Get notifications when your users change the permissions they afford your applications.
• The fields are like those in the corresponding FQL table.
• page
• Get notifications when pages that have installed your application change their public properties. 
• Note
• Page topic is only used for subscribing to changes to public attributes of the page (like name, category, picture etc).
• You can subscribe to the page's feed in the same way you subscribe to a user's feed - the subscription topic should be 'user' and the subscription field should be 'feed'

User connections to which you can/can't subscribe

• Can
• feed, friends, activities, interests, music, books, movies, television, likes, checkins
• Can't
• home, tagged, posts, photos, albums, videos, groups, notes, events, inbox, outbox, updates, accounts
• Note
• please check back on this page at later time for updates.

Questions

• 即使 Facebook 會將更新資訊 post 到我們設定的 callback url，但怎麼將這資訊送到(push)手機上的 Application?
• This service only for server-to-server communication.
• 所以應再考慮若 app server 收到更新訊息，如何 push 到 app，can try C2DM.

* Reference
- Real-time Updates
- Subscription
- Facebook API 开发记录
- real-time Sample code
- [TLK]Q/A about real-time updates
- How to Implement Push Notifications for Android
- Does Android support near real time push notification

[Facebook] Graph API - Objects

* Some Connection is a kind of Objects.

Format

• Object
• Explanation
• Permissions maybe needed (not list all)
• URL to get this Object
• Connections of this Object (URL to get other objects by their connection)

[Main Objects]

• Application
• An application registered on Facebook Platform
• /APPLICATION_ID/accounts, albums, banned, feed, insights, links, payments, picture, posts, reviews, staticresources, statuses, subscriptions, tagged, translations, scores, achievements
• Page
• A Facebook Page
• /PAGE_ID/feed, picture, settings, tagged, links, photos, groups, albums, statuses, videos, notes, events, checkins, admins, blocked, tabs
• User
• A user profile.
• https://graph.facebook.com/me (the current user)
• /USER_ID/accounts, achievements, activities, albums, apprequests, books, checkins, events, family, feed, friendlists, friendrequests, friends, games, groups, home, inbox, interests, likes, links, movies, music, mutualfriends, notes, notifications, outbox, payments, permissions, photos, picture, pokes, posts, scores, statuses, tagged, television, updates, videos

[Connections]

• Album
• A photo album
• user_photos: 你的相片; friends_photos: 和你分享的相片
• /User, Application, Page/albums
• /ALBUMS_ID/photos, likes, comments, picture
• Photo
• An individual photo within an album; 所有照片(包含被tag的...)
• ADD: publish_stream: 替你張貼內容到 Facebook
• /User, Page, Application, ALBUMS_ID/photos
• /PHOTO_ID/comments, likes, picture, tags
• Checkin
• A checkin made through Facebook Places or the Graph API.
• user_checkins: 你的打卡動態; 和你分享的打卡動態
• /User, Page/checkins
• /CHECKIN_ID/comments, likes
• Test Result
• Can't get checkin info that tagged by friend?
• Comment
• A Comment on a Graph API object
• /COMEMENT_ID/likes
• Event
• A Facebook event
• user_events: 你的活動; rsvp_event: Manage your events; friends_events: 和你分享的活動
• /User, Application, Page/events
• /EVENT_ID/feed, noreply, invited, attending, maybe, declined, picture
• feed can CREATE/DELETE links, posts, statuses
• Test Result
• 僅取得 User 發起的、不確定的與確定參加的?
• FriendList
• A Facebook friend list; 取得朋友群組清單
• read_friendlists: Access my custom friend lists
• /User/friendlists
• /FRIENDLIST_ID/members
• manage_friendlists : Manage your custom friend lists
• Group
• A Facebook group
• user_groups
• /User, Page/groups
• /GROUP_ID/feed, members, picture, docs
• Message
• A message in a thread
• read_mailbox: Access messages in your inbox
• /User/inbox
• Note
• A Facebook Note
• user_notes, friends_notes
• /User/notes
• /NOTE_ID/comments, likes
• Question
• A question asked by a user, as represented in the Graph API.
• user_questions, friends_questions
• /Use/questions
• /QUESTION_ID/options
• QuestionOption
• An option allowed as an answer to a question.
• /Question/options
• /QUESTIONOPTION_ID/votes
• Review
• A review for an application
• /Application/reviews
• Subscription
• A subscription to an application to get real-time updates for an Graph object type.
• /Application/subscriptions
• Thread
• A message thread
• /User/threads
• Test Error
• (#298) You must be a developer of the application
• Video
• An individual video
• /Use, Application, Page/videos
• /VIDEO_ID/likes, comments, picture

- Wall-related

• Link
• A shared link
• read_stream: Access posts in your News Feed
• /User, Application, Page/links
• /LINK_ID/comments, likes
• Post
• An individual entry in a profile's feed
• /User, Application, Page, Group/posts
• /POST_ID/comments, likes
• Status message
• A status message on a user's wall (UPDATE)
• User 在 wall 發表的純文字敘述。
• /User/statuses
• /STATUS_ID/comments, likes

- Game-related

• Achievement(Instance)
• Instance for an achievement for a user.

[Others]

• Domain
• A website domain within the Graph API
• Insights
• Statistics about applications, pages, or domain.
• /User, Application, Domain/insights

Note
like and feed are not an Object


By the way
HTTP 302: 暫時轉移(Temporarily Moved)
物件已移動，並告知移動過去的網址。針對表單架構驗證，這通常表示為「物件已移動」。 要求的資源暫時存於不同的 URI 底下。由於重新導向可能偶而改變，用戶端應繼續使用要求 URI 來執行未來的要求。 除非以 Cache-Control 或 Expires 標頭欄位表示，此回應才能夠快取。


* Reference
- Graph API
- Graph API Explorer

[Facebook] Graph APIs - Introduction

[The Graph API]

• Presents a simple, consistent view of the Facebook social graph.
• Uniformly representing objects in the graph and the connections between them.
• Objects: ex: people, photos, events, and pages
• Relationships connections: ex: friend relationships, shared content, and photo tags

[How to access Object]

• Every object has a unique ID.
• Access the properties of an object by requesting https://graph.facebook.com/ID
• ex: the official page for the Facebook Platform has id 19292868552, so you can fetch the object at https://graph.facebook.com/19292868552
• Alternatively, people and pages with usernames can be accessed using their username as an ID by https://graph.facebook.com/USERNAME
• ex: Since "platform" is the username for the page above, https://graph.facebook.com/platform will return what you expect.
• All responses are JSON objects.
• Support RESTful using HTTP GET(get), POST(create), DELETE(delete).
• ex: DELETE https://graph.facebook.com/ID?access_token=... HTTP/1.1
• To support clients that do not support all HTTP methods (like JavaScript clients), you can alternatively issue a POST request to an object URL with the additional argument method=delete to override the HTTP method. ex:
• Can delete a comment by issuing a POST request to https://graph.facebook.com/COMMENT_ID?method=delete
• Can delete a like by issuing a DELETE request to /OBJECT_ID/likes (since likes don't have an ID).

[Access connections of Object]

• All of the objects in the Facebook social graph are connected to each other via relationships.
• ex: Bret Taylor is a fan of the Coca-Cola page; Bret Taylor and Arjun Banker are friends...
• Access the connections between objects using the URL structure https://graph.facebook.com/ID/CONNECTION_TYPE.

[Query skills]
* About Objects

• Choose the fields (or connections) you want returned with the "fields" query parameter.
• ex: https://graph.facebook.com/bgolub?fields=id,name,picture, only return the id, name, and picture of Ben.
• Request multiple objects in a single query using the "ids" query parameter.
• ex: https://graph.facebook.com?ids=arjun,vernal returns both profiles in the same response.
• The "ids" query parameter also accepts URLs. This is useful for finding IDs of URLs in the Open Graph.
• ex: https://graph.facebook.com/?ids=http://www.imdb.com/title/tt0117500/
• A special identifier me which refers to the current user. So the URL https://graph.facebook.com/me returns the active user's profile.

* About Connections
Several useful parameters that enable you to filter and page through connection data:

• limit, offset:
• https://graph.facebook.com/me/likes?limit=3
• until, since (a unix timestamp or any date accepted by strtotime):
• https://graph.facebook.com/search?until=yesterday&q=orange

* Data format

• All date fields are returned as ISO-8601 formatted strings.
• You can optionally override the date format by specifying a "date_format" query parameter.

[Permission]

• To get additional information about a user, you must first get their permission.
• Different information may need different permissions, you have obtain the right permissions of access token for the user or you can not get the relative information.

[Introspection]

• Enables you to see all of the connections an object has without knowing its type ahead of time. 
• This feature is a useful and extensible way to find all the things your users are connected to.
• To get this information, add metadata=1 to the object URL, and the resulting JSON will include a metadata property that lists all the supported connections for the given object. 
• ex: See all the connections for the Developer Garage event above by fetching https://graph.facebook.com/331218348435?metadata=1.

[Search]
https://graph.facebook.com/search?q=QUERY&type=OBJECT_TYPE
ex:

• All public posts: https://graph.facebook.com/search?q=watermelon&type=post
• People: https://graph.facebook.com/search?q=mark&type=user
• Pages: https://graph.facebook.com/search?q=platform&type=page
• Events: https://graph.facebook.com/search?q=conference&type=event
• Groups: https://graph.facebook.com/search?q=programming&type=group
• Places: https://graph.facebook.com/search?q=coffee&type=place¢er=37.76,122.427&distance=1000
• Checkins: https://graph.facebook.com/search?type=checkin

* Reference
- Graph API
- Graph API Explorer