Question
Instead of using any Facebook SDK, I'm using HTTP Requests. Here is the URL I'm using to log the user into my application: (Not Real ID or URL)
https://stackoverflow.com/questions/22887199
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianhttps://www.facebook.com/dialog/oauth?
client_id=6545941f68498461
&redirect_uri=https://script.google.com/macros/s/hcz-IRoJhm/exec?
&response_type=token
&scope=publish_stream
The documentation is HERE. Official Facebook Login
After the user signs in with Facebook, my website loads with an access token appended to URL. I request a response_type=token so I get a token, not a code or both a code and a token.
According to the Facebook documentation, Confirming Identity
Because this redirect flow involves browsers being redirected to URLs in your app from the Login dialog, traffic could directly access this URL with made-up fragments or parameters. If your app assumed these were valid parameters, the made-up data would be used by your app for potentially malicious purposes. As a result, your app should confirm that the person using the app is the same person that you have response data for before generating an access token for them. Confirming identity is accomplished in different ways depending on the response_type received above:
And because I am receiving a token this quote from Facebook documentation should apply to me:
When token is received, it needs to be verified. You should make an API call to an inspection endpoint that will indicate who the token was generated for and by which app. You can do this from the client or from the server, depending on your use case.
For this particular situation, there is a section titled, Inspecting Access Tokens:
Here is the quote from the Facebook documentation:
Whether or not your app uses code or token as your response_type from the Login dialog, at this point it will have received an access token. However, for the same security reasons as above, you should perform an automated check to confirm that the token belongs the person that your app is expecting it to belong to, and that it was your app that generated the token. We provide the following Graph API endpoint that can be used to inspect access tokens:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
So, I have parsed the access token from the end of the URL, and then made another GET Request from the server as configured in the example for the inspection, and I can not get it to work. I have tried using a generated app token and I have tried using my App ID plus my App Secret, and nothing works. I get an error message:
Execution failed: Invalid argument:
If I use the Facebook Debugger
And paste in the token that was returned from the login, it works fine. I get information back. So the token I'm getting back is valid.
I'm using the exact syntax for inspecting the Access Token, and I've checked every character many times for spelling or syntax errors. There must be something else causing the request to be rejected. For test purposes, I am sending the HTTP GET Request from a different URL, but because tokens are portable, Facebook allows requests from different places, for example, from a server.
Why is my request failing?
I'm wondering if there is something about the Apps Script UrlFetch service that is causing the error. The token I get back is valid. In the online debugger, the token is fine. I keep getting an invalid argument error. GET requests don't have a payload, so trying to use the payload, so trying to use that parameter wouldn't help me.
I muted the HTTPExceptions, and got a response back:
{"error":{"message":"Unsupported get request.","type":"GraphMethodException","code":100}}
In Facebooks Receiving Error Codes table, there is no code 100.
I set the "escaping" : false thinking maybe there might be a character that shouldn't be escaped that was being escaped, but that did nothing.
Maybe there is something in the URL that fetch doesn't like. Maybe I need to manually escape something.
Okay, I have figured something out. Google Apps Script UrlFetchApp.fetch(getAppTknURL, optnAppTkn); does not like the " | " character. If I use that character, I get a Execution failed: Invalid argument: error, which has nothing to do with the HTTP request.
So, using the App ID and App Secret as the access_token, divided by the " | " character will produce an error. And, the App Access token also uses that character to divide the app ID and the App Token. So maybe I can figure out what the escape characters are for that " | " character.
Solution
I found the problem. Facebook configures the App Token with a divider after the app ID.
AppID|AppToken
The " | " character is the divider. That character has an escape code of %7C. In my case, the | character needed to be escaped in the URL. As soon as I did that, I started getting responses back from Facebooks server.
