Once I have the access_token, how do I get the associated user_id server side?

StackOverflow https://stackoverflow.com/questions/4774633

Question

I know I can request:

https://graph.facebook.com/me?access_token=ACCESS_TOKEN

But 'me' which refers to the 'active user' which presumably is the user logged on to facebook on this machine which would be the server, I need the facebook user at the clients end user_id so my server can make requests to the GraphAPI about that user using the format:

https://graph.facebook.com/USER_ID?access_token=ACCESS_TOKEN
Was it helpful?

Solution 2

Looking at the source code of the SDK's I found they parse the user_id from the access token:

        /*
         * access_token:
         *   1249203702|2.h1MTNeLqcLqw__.86400.129394400-605430316|-WE1iH_CV-afTgyhDPc
         *                                               |_______|
         *                                                   |
         *                                                user id
         */

BUT one shouldnt have to do this as instead of requesting the token your app should redirect them to the landing page following which facebook will re POST the signed_request with the access_token and user_id. The facebook documentation on authorisation (it seems to have since been updated) wrongly told ones app to request token but that is only applicable for websites not apps. I find it annoying how the facebook docs keep telling one how simple it is yet they fail to simply explain it and get wrong anyway...

OTHER TIPS

I guess you are missing the fundamentals of the user authentication concept which is not only related to Facebook.

Let us assume that two users A & B visited domain.com/fb_profile.php, which contains (the example file from the PHP-SDK): 

<?php

require '../src/facebook.php';

$facebook = new Facebook(array(
  'appId'  => 'APPLICATION_ID',
  'secret' => 'APPLICATION_SECRET',
  'cookie' => true,
));


$session = $facebook->getSession();

$me = null;
// Session based API call.
if ($session) {
  try {
    $uid = $facebook->getUser();
    $me = $facebook->api('/me');
  } catch (FacebookApiException $e) {
    error_log($e);
  }
}

// rest of code

They both logged in successfully, and the page reloaded. What happened now is that we have a valid session for both users!
And when the fb_profile.php is requested from the user A (client) the $facebook->api('/me'); will be holding the "active user" details from that specific request (client)! and your machine (the server) will be holding the sessions for all the logged in users!

So each time fb_profile.php is requested from a client with a valid session, the result of executing $facebook->api('/me'); will be related to that specific session from that specific client!

So what have you said here (in bold) is wrong:

But 'me' which refers to the 'active user' which presumably is the user logged on to facebook on this machine which would be the server

And by the way, when you have a valid session both: 

$facebook->api('/me');

And: 

$facebook->api('/USER_ID');

Will return the same info (of course the USER_ID is the id of the user logged in on the client-side).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top