How to get a facebook access token using appid and app secret without any login credentials?

Premkumar picture Premkumar · Jun 25, 2014 · Viewed 15.8k times · Source

I need to get FaceBook access token using appid and app secret in C# windows application. Actually i did below coding, but getting app token only not getting the access token.

how to achieve to retrieve access token.?

 FacebookClient client = new FacebookClient();
            dynamic result = client.Get("oauth/access_token", new
            {
                client_id = "1498796747020950",
                client_secret = "c50341f5b4e42a595f0791467f439e38",
                grant_type = "client_credentials"
            });
          var  accessToken = result.access_token;

Answer

Sahil Mittal picture Sahil Mittal · Jun 25, 2014

The token that you are requesting is an app access token which can not be used with every API call (instead its usage is very limited).

Let me try to elaborate the access tokens and OAuth 2.0 to make the concepts clear.

OAuth 2.0

  1. With the standard OAuth 2.0 implementation, the first step is to invoke the OAuth Dialog of the service provider (facebook)-

    \GET http://www.facebook.com/dialog/oauth

    Parameters-

    • client_id (APP ID)
    • redirect_uri (App's Redirect Url)
    • scope (permissions - optional)

    Returns-

    • code (appended with the redirect url)
  2. After the user successfully authenticated the app, a code is returned by the service provider(facebook) appended with the redirect_url passed. So you'll be redirected to-

    {redirect-url}?code=XXXXXXXXXXXXXXXXX

    We use this code then and request for the access_token-

    \GET https://graph.facebook.com/oauth/access_token

    Parameters-

    • client_id (APP ID)
    • client_secret (APP Secret)
    • code
    • redirect_uri

If you dont want to build this manual flow, you can use the SDKs that take care of this flow. It will just invoke the outh dialog and if success will give you the access token in response. Facebook provides official SDKs for iOS, Android, Javascript and PHP; also there are other third-party SDKs. Now this will give us an access token, to be more precise- a user access token. This is only process required to obtain a user access token (i.e. user engagement is required). What you were requesting was an app access token, I'll now elaborate facebook access tokens-

Access Tokens

There are 3 types of access tokens to support different use cases:

  • User Access Token - The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. I've explained the detailed process of obtaining this token.

  • App Access Token - App access tokens are used to make requests to Facebook APIs on behalf of an app rather than a user. This can be used to modify the parameters of your app, create and manage test users, or read your application's insights. App access tokens can also be used to publish content to Facebook on behalf of a person who has granted an open graph publishing permission to your application.

    Except these there's nothing an app access token can do. And its like a password of your app so it is important that your app secret is never shared with anyone. This can be obtained by the API call that you have mentioned in the question-

    GET /oauth/access_token?
         client_id={app-id}
         &client_secret={app-secret}
         &grant_type=client_credentials
    

    or directly from here, or simply use {app-id}|{app-secret}

  • Page Access Token- Page access tokens are used in Graph API calls to manage Facebook Pages. To generate a page access token, an admin of the page must grant an extended permission called manage_pages. Once this permission has been granted, you can retrieve the page access token using the following Graph API request:

    /GET  /{page-id}?fields=access_token
    

Reference


I'm not really sure if this all was significant to you but I hope it helps you clearing some doubts regarding the same.

If the app access token is significant to you, you can use it by any of three methods I've mentioned. If not, user access token is what required to you which cannot be obtained without user interaction.