CODEWITHSUNDEEP
javafacebookfacebook-graph-api
Avinash Gupta
Avinash Gupta

Reputation: 399

Invalid appsecret_proof provided in the API argument on python server

I'm having trouble fetching mutual friends for two users of my app who are not friends.

As per all_mutual_friends permission, I need to make the request along with the appsecret_proof parameter.

I generated the app_access_token using this GET call:

GET /oauth/access_token
?client_id={app-id}
&client_secret={app-secret}
&grant_type=client_credentials

I've triple checked the app_id and app_secret, they are correct. I generated the appsecret_proof by SHA256 hashing the app_access_token with app_secret in Java.

Now when I request the mutual friends (sending the appsecret_proof as query parameter), it responds saying 

"Invalid appsecret_proof provided in the API argument"

with a GraphMethodException. The original request (without appsecret_proof) is working fine for users who are friends. Any pointers here?

Here is the java code I'm using to generate appsecret_proof: 

public static String hashMac(String text, String secretKey)
throws SignatureException {

try {
    Key sk = new SecretKeySpec(secretKey.getBytes(), HASH_ALGORITHM);
    Mac mac = Mac.getInstance(sk.getAlgorithm());
    mac.init(sk);
    final byte[] hmac = mac.doFinal(text.getBytes());
    return toHexString(hmac);
} catch (NoSuchAlgorithmException e1) {// throw an exception or pick a different encryption method
    throw new SignatureException(
    "error building signature, no such algorithm in device "
    + HASH_ALGORITHM);
} catch (InvalidKeyException e) {
    throw new SignatureException(
   "error building signature, invalid key " + HASH_ALGORITHM);
}
}

private static final String HASH_ALGORITHM = "HmacSHA256";

public static String toHexString(byte[] bytes) { 
   StringBuilder sb = new StringBuilder(bytes.length * 2); 

   Formatter formatter = new Formatter(sb); 
   for (byte b : bytes) { 
     formatter.format("%02x", b); 
   } 

return sb.toString(); 
}

My server is python based.

Upvotes: 1

Views: 952

Answers (1)

Avinash Gupta
Avinash Gupta

Reputation: 399

I was able to fetch the mutual friends. I was using app_access_token to generate the appsecret_proof but the access_token of sessioned user needs to be used to generate the appsecret_proof. Apparently, this was not documented by Facebook.

Upvotes: 2

Related Questions