API calls from the server require an appsecret_proof argument
Asked Answered
T

4

23

I can't make API requests with the Android Facebook SDK, or even get the user from the login callback - it always returns null.

Particularly, with the newMeRequest, I get the following error message:

{ "error": {
 "message": "API calls from the server require an appsecret_proof argument", 
 "type": "GraphMethodException", 
 "code": 100   } }

Actually, it seems pretty obvious, because the flag is set to true in the Facebook app options. However, I know it is possible, for the mobile sdks, to make API requests without the secret. However, if I try to use the access token from the currentSession in the Facebook Graph API Debugger, the response will be the same as above.

I don't know if this is related to the new Android Facebook SDK, but my code is basically the same as in the examples. The login goes nicely and I get the session token but I can't make any API requests...

loginButton.setUserInfoChangedCallback(new LoginButton.UserInfoChangedCallback() {
    @Override
    public void onUserInfoFetched(GraphUser user) {
        graphUser = user;
    }
});


Request.newMeRequest(currentSession, new Request.GraphUserCallback() {
    @Override
    public void onCompleted(GraphUser user, Response response) {
    }
    }
}).executeAsync();
Townspeople answered 12/3, 2014 at 17:41 Comment(1)
I am getting same error,How you resolved this.Please help me it's urgent.Habitat
T
39

The only way that I was able to put it working, was by settings to No the App Secret proof for API calls in the advanced settings of the facebook App.

However, this is a fix, not a solve, since I wasn't able to do the request in the option set to Yes (as is possible in the iOS facebook sdk).

Townspeople answered 7/4, 2014 at 10:30 Comment(2)
is this safe? What are the security risks that come from disabling that opt?Baal
@Townspeople This option is disabled by default. I think this option "enhanced" the security. This doesn't mean your FB app "unsafe" if you turn this option off.Telephony
B
18

you need to add a parameter "appsecret_proof" to your request containg a 'sha256' hash of accessToken and appSecret

https://developers.facebook.com/docs/graph-api/securing-requests

Bel answered 27/1, 2015 at 15:29 Comment(1)
Strangely it looks like this is the url now developers.facebook.com/docs/graph-api/securing-requests%20 I only say strangely, because not many urls have a %20 in them (other than that it's the same as your url)...Penhall
E
8

You need to disable Require App Secret in facebook app advance settings.

Editheditha answered 16/2, 2017 at 10:20 Comment(2)
is this safe? What are the security risks that come from disabling that opt?Baal
Thank you so much. It is solved the issue. But Is it good as per the security aspects?Naaman
A
1

While not an actual answer to your question (since it doesn't involve the Android SDK), it seems that, as of March 2018, there still are some issues regarding the appsecret_proof and calls from web page (Javascript) / and possibly mobile (not sure about that) clients.

Facebook bug report (February 2018) - issue reappeared

Facebook bug report (October 2016)

Facebook bug report (February 2015)

That is, for an application with Require App Secret enabled App Dashboard > Settings > Advanced > Security > Require App Secret, it seems that one cannot perform API calls from Javascript without passing the appsecret_proof - at the moment of writing (March 2018).

Quick "fix" - disable the flag. Depending on the requirements, one may also choose to have two Facebook applications: one for web page / mobile calls (flag disabled), and one for server side calls (flag enabled).

Archangel answered 7/3, 2018 at 20:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.