Skip to main content

Posting to FaceBook feed using Graph API

Graph API was announced at F8 with a promise to dramatically simplify the FB API.
I checked the read access over the new interface during the presentations and to my big surprise it worked flawlessly and from the first time.
When I tried, JSON-formatted info about the FaceBook page was returned (as expected).

Then I tried OAuth 2.0 way of accessing the API to post a message to the feed.
And to my even bigger surprise it worked too!

Here is what you need to do to access Graph API over OAuth:
1. Create a FB app, store app properties to a file:

  1. $appkey = '7925873fbfb5347e571744515a9d2804';
  2. $appsecret = 'THE SECRET';
  3. $canvas = '';
2. Create a page that will prompt user the access permission (I am prompting for the publish_stream and offline_access permissions at the same time)

  1. //
  2. require 'settings.php';

  3. $url = "";
  4. $url .= "client_id=$appid&";
  5. $url .= "redirect_uri=$canvas/callback.php&";
  6. $url .= "scope=publish_stream,offline_access";
  7. $url .= "&type=user_agent&display=popup";

  8. echo("$url");

3. Create a page to handle OAuth call-back with token and do the feed post:

  1. require 'settings.php';

  2. function
    callFb($url, $params) {
  3. $ch = curl_init();
  4. CURLOPT_URL => $url,
  5. CURLOPT_POSTFIELDS => http_build_query($params),
  7. CURLOPT_VERBOSE => true
  8. ));
  9. $result = curl_exec($ch);
  10. curl_close($ch);
  11. return $result;
  12. }

  13. $token = $_REQUEST['access_token'];

  14. $hello = "Hello from Graph API";
  15. $params=array('access_token'=>$token, 'message'=>$hello);
  16. $url = "";
  17. callFb($url, $params);

Important! Do not forget to select "new SDK" on the application settings page (I think that Facebook documentation fails to mention that)


ViN said…
How often do i need to generate an access token? is it a one shot deal?
Gene Leybzon said…
With the code show, I request "offline_access" permission from user. if granted token could be used as long as needed (similar to "infinite session key" with old API). Without "offline_access" permission, token will be working for a few hours.
trahma said…
Not exactly sure why, my response is coming back with a # in my callback instead of a ?. I can easily catch this with php but it seems as if its not exactly working as intended.
Gene Leybzon said…
I have a normal response with '?' separating call-back url and returned values. Please make sure that you correct app id matching with app secret. Also you may get more than one call-backs from FaceBook. You can ignore any call-backs after the first one.
trahma said…
I've verified I have the correct secret but I don't see anywhere in your code where you're using $appsecret. My upfront thought was type was messing with it
CC said…
Looks like you are working on the same stuff I am.

I think you may be omitting some code on that second page; all it does is echo out that URL you've constructed.

I'm trying to get this stuff to work within a Canvas app, and when I redirect the user to that URL you showed, I get Facebook framed with the semitransparent black backdrop. Any idea how to properly get that to work?
Gene Leybzon said…
CC, you are absolutely right! This code is just constructing this URL can be constructed manually and user can be redirected to this URL at any point. I even tried to put this URL in app settings so this will be the first page user is redirected to after the app install.
I think for the problem you see, you need to check application properties you set up with FaceBook. I'd pay special attenuation to have your app as FBML, not iframe
CC said…
Thanks for the follow-up. I just now got it working in the canvas context. I added "canvas=1" and "fbconnect=0" to the params, and used "display=page" to get it to work.

Thanks for this post - it saved me a good amount of work!
dennisp said…

That's a shame that FB docs are that unclear.

Using your method. It does not return access_token but json-encoded session object. The returned session_key cannot be used with the graph api, just with the older api. Anybody came across this situation? Thanks.
Matt Farnell said…
I get the # instead of a ? as well.

I have as my redirect_uri.
Gene Leybzon said…
I would specify full page URL (as in my original post) for the callback URL to avoid problem with the #
TestBrand said…

Thanks for the tutorial.. Its gud
I have one issue.. CURL is giving the error, "Could not connect to host".. Donno why.. I have added the IP of in hosts file..but still the same..

Is that something to be done with https ..

Please help
Erica said…
Creating a simple post to a fan page through my web site is driving me to drink.

I think I finally have it all pieced together but I am also having the issue with the hash tag "#" separating my callback page and my access token, which google tells me PHP cannot retrieve for me.

my callback page is set to but it goes to

I am ready to punch a facebook employee in the brain.

Popular posts from this blog

Amazon Simple Email Service (Amazon SES) and PHP

This morning Amazon announced availability of a bulk email delivery service called "Simple Email Service". Anyone who knows how much pain is it to set-up scalable email solution (and it is not just spammers who need it!) should celebrate the occasion. I know of a company that spent several years cleaning ip addresses it sends email and found itself locked into the contract with internet provider since it would take forever to reach required level of email deliver ability anywhere else.

Anyway, this evening I decided to check the Amazon claim that the service is "simple". Found out that it is indeed simple!
Since there is not much in terms of the documentation yet, here is my code where I used AWS PHP library:

// Enable full-blown error reporting.

// Set plain text headers
header("Content-type: text/plain; charset=utf-8");

// Include the SDK
require_once '../sdk.class.php';

// Instantiate th…

JavaScript in Facebook applications

Facebook (finally) allowed Java Script in FB applications outside of IFRAME
Among other things, I liked how elegantly they are creating namespaces separating different applications on the same page. Seems that it cold be a security hole here - it is possible to enumerate java functions on the page and "impersonate" user actions with another apps installed on the same page. Other than that - it's great that we can use JavaScript outside of the IFRAME sandbox.