As i presumed, i was missing a call to the client-side API to request extended permissions. (ie publish_stream).
I had a simple JavaScript function which was executed as part of the "onlogin" attribute of the FBML Login control.
Previously, i was simply doing a redirect (which would then do a single-sign-on in the server-side code).
Now, im doing this:
function postLogin(targetUrl) {
FB.Facebook.apiClient.users_hasAppPermission('publish_stream', function(result) {
if (result == 0 || result == null) {
FB.Connect.showPermissionDialog('publish_stream', function() { redirectTo(targetUrl); });
} else {
redirectTo(targetUrl);
}
});
}
Translated to english:
// On "Facebook Connect" click (which passes in a redirect URL)
// Check if user has 'publish-stream' permissions
// If they do, just redirect.
// If they dont, show a dialog requesting that permission, then redirect.
Now the server-side Graph API calls all work fine.
So to answer my own original three questions:
- How do i grant extended permissions to publish to the user's wall?
Answer: make use of the client-side JavaScript API function 'FB.Connect.showPermissionDialog' to show the popup, and 'FB.Facebook.apliClient.users_hasAppPermission' to check if they have the permission.
- What is the correct URL for obtaining an OAuth token?
Answer: I still believe it is "https://graph.facebook.com/oauth/access_token?{0}", but "https://graph.facebook.com/oauth/authorize?{0}" might be able to be used for a server-side authentication/authorization process.
- Is there a definitive source for showing how to post to a user's wall using server-side Graph API calls?
Answer: If there was, i wouldnt have to had asked this question - so the answer in short, is no. =)
Advice to anyone starting Facebook Connect work, try to avoid the "Old JavaScript API". Do as much as you can server-side (Graph API), and only use the client-side JavaScript API for the initial handshake (cross domain receiver).
Full flow - four page example (easier to edit and understand for an example)
So the config just has the basic app info...
When you load index.php
- it redirects to facebook to get authorization for the page.. (probably already have this.. but covering all bases)
Facebook then redirects back to the redirecturl (backfromfb.php
)...
Facebook returns the access token as a hash and not a get variable, so this page refreshes with the hash as a variable...
It then loads the PageUpdate.php
which handles looping through the app/admin tokens and finds the correct one for the page you want to post to..
Then it builds the post and submits it..
It sounds like you have an understanding of most of this... So hopefully this will help you with that last bit.
config.php
<?php
$config = array(
'appId' => 'YOUR APP ID',
'secret' => 'YOUR APP SECRET',
'cookie' => true;
);
$baseurl = 'http://yoursite.com/';
$returnpage = 'backfromfb.php';
require_once('library/facebook.php');
?>
index.php
<?php require_once('config.php'); ?>
<html><head><title>Redirecting for auth</title></head><body><script type="text/javascript">
window.location.href = 'https://www.facebook.com/dialog/oauth?client_id=<?php echo $config['appId']; ?>&redirect_uri=<?php echo $baseurl . $returnpage; ?>&scope=manage_pages&response_type=token';
</script></body></html>
backfromfb.php
<?php
require_once('config.php');
// this page just passes the access token from the hash to a GET arg...
if (!isset($_GET['access_token'])) {
?>
<html><head><title>Redirecting</title></head><body><script type="text/javascript">
accessToken = window.location.hash.substring(1);
window.location.href = '<?php echo $baseurl . $returnpage; ?>?' + accessToken;
</script></body></html>
<?php
} else {
require_once('PageUpdate.php');
} ?>
PageUpdate.php
<?php
require_once('config.php');
$pageID = "123456 WHatever you page id is";
$AppToken = array(
'access_token' => $_REQUEST['acess_token']
);
$fb = new Facebook($config);
// Load APP page access rights for user via AppToken
$pageAdmin = $fb->api('/me/accounts', 'GET', $AppToken);
// Find the page access token
foreach ($pageAdmin['data'] as $data) {
if ($data['id'] == $pageID) {
$pageToken['access_token'] = $data['access_token'];
continue;
}
}
// compile the post
$WallPost = array(
'message' => 'Test post from my app!'
); // you can also use 'picture', 'link', 'name', 'caption', 'description', 'source'....
//http://developers.facebook.com/docs/reference/api/
// post to wall
$response = $fb->api($pageID . '/feed','POST',$WallPost);
if($response) {
echo 'Success!';
echo '<pre>' . $response . '</pre>';
} else echo "failed";
?>
Best Answer
It's pretty simple. You can call FB.login to get extended permissions. Then you can call FB.ui to post a status (or FB.api to call /me/feed to post without user interaction, which is frowned upon). To be able to push wall posts at a later date you would need to store the access_token on your server for later use.