Retrieve photos from facebook graph api without login

Question

I have a php app where my registered users login to facebook. I use $facebook->getLogoutUrl(); . Then I retieve all their albums and display their id and names in an HTML select tag. The user select one and the id of the album is stored in the DB.

Here everything works great.

Then an anonymous user visit my website and I want him to see my registered user photos (public photos of the albums selected by the registered users) (they are not logged in my site, they are not logged in facebook). At the moment it only works if the anonymous user is logged in facebook. But I want to diplay photos even if the anon is not logged in facebook.

$photos = $facebook->api('/'.$idAlbum.'?fields=id,name,link,photos.fields(id,picture,source)');

I have tried a lot for 2 weeks but nothing seems to work. I have tried without login, I have tried with an app access token, I have tried:

https://graph.facebook.com/oauth/access_token?client_id=XXXXXX&client_secret=YYYYYY&grant_type=client_credentials

Can anyone help me? or tell me if is not possible to my app to retireve photos from an album. I searched a way to login my app but I only find app access token ( https://developers.facebook.com/docs/howtos/login/login-as-app/ ) but as it say it can make requests as the app, not as a user

Answer 1

In order to access a users information, you're going to need a valid access token for that user. An application access token can't be used to do anything on behalf of a user.

Access tokens expire after a while and that prevents applications from searching though the users information when the user is not actually using the application.

If you want to go all the way - just download all the photo's from the album and store them on your server... If you can't do that, then you'll have to look into extending the album owner's access token so that you can use it when querying their album. As far as the application is considered, with that extended access token, it is in actual fact the album owner who is making the request.

Taken from the Facebook docs :

Extending client-side user access tokens

When a person completes a client-side auth flow and you retrieve their user access token, by default the token is only valid for one to two hours.

You can exchange this token for a longer-lived one that's valid for up to 60 days by passing it to the /oauth endpoint from your server with a grant_type parameter of fb_exchange_token. [Note that it must be sent from the server so that the App Secret is not exposed.] Here's what that looks like:

 https://graph.facebook.com/oauth/access_token?   \n    grant_type=fb_exchange_token&            \n    client_id=APP_ID& \n    client_secret=APP_SECRET& \n    fb_exchange_token=SHORT_LIVED_ACCESS_TOKEN  

The response from this endpoint will include the long-lived access token. This will be a different string to the original token, so if you're storing these tokens, replace the old one.

Basically you'll have to do this as soon as any (registered) user performs a succesful login and store the token in your database.