Test Users: New response, limit, and password reset feature
Most developers test their apps by generating test users. We recently updated the response to include the test user’s email and password along with the id, access_token, and login_url. In addition, we added the ability to reset passwords via Graph API. We recommend that you either record the password or reset it whenever you need it, as it is only returned when the test user is first created.
Here’s a simple PHP example that creates a new test user, prints out the response, and changes the test user’s password:
<?php $app_id = "YOUR_APP_ID"; $app_secret = "YOUR_APP_SECRET"; $token_url = "https://graph.facebook.com/oauth/access_token?" . "client_id=" . $app_id . "&client_secret=" . $app_secret . "&grant_type=client_credentials"; $app_access_token = file_get_contents($token_url); $graph_url = "https://graph.facebook.com/" . $app_id . "/accounts/test-users?installed=true" . "&permissions=read_stream&method=post&" . $app_access_token; $response = file_get_contents($graph_url); if($response) { $obj = json_decode($response); echo "<pre>"; print_r($obj); echo "</pre>"; } //change the password $new_password = "YOUR_NEW_PASSWORD"; $graph_url = "https://graph.facebook.com/" . $obj->{'id'} . "?password=" . $new_password . "&method=post&" . $app_access_token; $response = file_get_contents($graph_url); if($response) { echo "Password changed successfully."; } ?>
Based on your feedback, we have also increased the limit for the number of test users an app can create to 500.
Prompting users to re-authenticate
For many situations (e.g., before a user makes a purchase), developers wanted the ability to confirm a user’s identity by prompting the user to re-type in their password. This prevents a user from purchasing something as someone else in case that user is on a shared computer.
We have added two additional parameters that you can pass into the authentication request (at https://www.facebook.com/dialog/oauth or https://graph.facebook.com/oauth/authorize):
auth_type
: this parameter specifies the requested authentication features (as a comma-separated list). Valid options are:https
- checks for the presence of the secure cookie and asks for re-authentication if it is not presentreauthenticate
- asks the user to re-authenticate unconditionally
auth_nonce
: specifies an app-generated alphanumeric nonce which can be used to provide replay protection. This parameter is option, but apps are strongly encouraged to use it especially when requesting reauthenticate
as auth_type
Here’s a PHP example of authenticating and re-authenticating a user:
<?php $app_id = "YOUR_APP_ID"; $app_secret = "YOUR_APP_SECRET"; $my_url = "YOUR_APP_URL"; $auth_nonce = "YOUR_AUTH_NONCE"; $code = $_REQUEST["code"]; //Check to see if reauth button was clicked, //if so prompt re-auth dialog if(!empty($_REQUEST['reauth'])) { $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . '&auth_type=reauthenticate&auth_nonce=' . $auth_nonce; echo("<script> top.location.href='" . $dialog_url . "'</script>"); } if($_REQUEST['error']) { //user did not reauthenticate successfully echo $_REQUEST['error'] . ": " . $_REQUEST['error_description']; echo '<p>'; return; } $token_url = "https://graph.facebook.com/oauth/access_token?" . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . "&client_secret=" . $app_secret . "&code=" . $code; $access_token = file_get_contents($token_url); $params = null; parse_str($access_token, $params); if($params['auth_nonce']==$auth_nonce) { echo("Hello again! You were re-authenticated."); echo '<p>'; return; } $graph_url = "https://graph.facebook.com/me?" . $access_token; $user = json_decode(file_get_contents($graph_url)); echo("Hello " . $user->name); echo '<p>'; //Check if code is empty (when user first hits page). //Prompt user to auth. if(empty($code)) { $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url); echo("<script> top.location.href='" . $dialog_url . "'</script>"); } ?> <html> <head></head> <body> <form action="YOUR_APP_URL"> <input type="hidden" name="reauth" value=”true” /> <input type="submit" value="Re-authenticate" /> </form> </body> </html>
Improving Reference Docs
Documentation activity for the past 7 days:
Fixing Bugs
Bugzilla activity for the past 7 days:
Forum Activity
Developer Forum activity for the past 7 days:
Jan Jezabek, a Platform engineer, hopes to see more e-commerce apps on Facebook use the ability to re-authenticate users.