Getting facebook user access token / PHP SDK 3.1.1

Question

since this article is not answering the question ( How to get user access token? ), I wanted to ask how to get the user access token.

I already have my app access token, easy. I also saw in the latest php sdk Base_facebook class there is an getUserAccesstoken function, but its useless because in the end you only get the app access token.

This is my authentification flow: user gets into the fanpage app, and at some point, he has to authorize permissions:

$facebook = new Facebook(array(
    'appId' => $app_id,
    'secret' => $secret,
    'cookie' => true
));

$user = $facebook->getUser(); 

if($user == 0) {

  $login_url = $facebook->getLoginUrl($params = array('scope' => "publish_stream", 'redirect_uri' => "https://www.facebook.com/pages/PAGENAME/PAGE-ID?sk=app_APP-ID0&app_data=af"));

echo ("<script> top.location.href='".$login_url."'</script>");
}

This works, fine, app_data "af" param is set to get back the page inside the fanpage app.

Because I realize, that when I remove the app, and get back to the auth page, the user cookie ($user) is still set and so the user wont be asked for permissions again.

For that reason I wanted to check permissions as well, and therefore I need the user access token

    try{
        $permissions = $facebook->api("/me/permissions", 'GET', array('access_token' => "$access_token" ));
    }
    catch (Exception $e) {echo ("<script> top.location.href='".$login_url."'</script>"); }

    if( array_key_exists('publish_stream', $permissions['data'][0]) ) {
        // Permission is granted!

    } else {
        echo ("<script> top.location.href='".$login_url."'</script>");
    }

So I tried the server side auth example (https://developers.facebook.com/docs/authentication/server-side/), but of course this won't work here as you are not able to read the $_REQUEST from inside the app, so I am gonna stuck here. - How do you guys check for the permission inside an app?

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "YOUR_URL";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

TIA & cheers, daniel

Answer 1

See the section of the Facebook Developer Docs about Server-Side authentication: https://developers.facebook.com/docs/authentication/server-side/

Or you can use a hybrid client-server authentication: http://developers.facebook.com/blog/post/534/