restfb: Writing a facebook application with java (using the new graph api)

ufk picture ufk · Mar 9, 2011 · Viewed 10.2k times · Source

I'm trying to write a facebook application using Java tomcat with RestFB.

the restfb documentation shows the following:

I think that i may be looking at the wrong instructions and this is for a facebook connect or anything else besides an actual facebook application inside apps.facebook.com/app_name.

I would really appreciate any relevant information regarding the issue. I'm simply trying to create a simple facebook application that prints the name of the user.

In general after I fetch the acces token of the user i can do the following:

FacebookClient facebookClient = new DefaultFacebookClient(MY_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());

My problem is how do i properly fetch the access token of the user? in the information i showed at the top of the post, it shows that i need to make 2 requests. the first for the code and the other for the acess token. and the request for the access token actually reveals my app secret key to the user because each time i forward him to a different page the user can easily view the get and set parameters.

so i guess i'm pretty lost here.

please help! :)

thanks

update after comments

with these instructions i need two times to redirect the user's page. first to get the code and then to get the access token. the user can see these two redirections and because of that he can easily see the facebook application key and secret key from the get parameters. how do i make sure that these steps are hidden from the user?

Answer

Kris Babic picture Kris Babic · Mar 10, 2011

As stated in the comments, these are the steps you need to take to access Facebook's graph API. However, to answer your second question:

"How do I make sure that these steps are hidden from the user?"

Only the first request should be performed by the user's browser. The purpose being that Facebook wants to make sure it is the sole authorization provide for the user's Facebook identity. Depending on the application you are writing, you would either use the redirect URL to point to the default redirect URL that you specified, or specify a custom url on your website that you will use to retrieve the token. The first approach is typically used by stand-alone applications such as mobile devices that can control how the browser handles redirects. The second approach would be used for a custom web-based application. Once you receive the access token, then you would perform the second operation within your code (using your favorite http apis) and not through the browser. The redirect on the access_token url is compared against the redirect url specified on the authentication-url. Facebook uses it for validation only and does not perform an actual redirect on the successful completion of the request.

Here are the high-level steps:

  1. Redirect user's browser to the authentication-url specifying the appropriate redirect_uri
  2. Retrieve verification token from redirected browser request
  3. Perform access_token retrieval using your preferred HTTP framework (no user input required)
  4. Parse results and retrieve access token
  5. Initial restfb with token and use as needed