Authenticating with Facebook Graph API

Question

I need to pull some posts off a Facebook page and display them on my website. I'm looking at using Facebook Graph API for this, but I'm struggling a bit, the documentation and all kinds of tutorials seems to assume that I will set up a login flow to first ask the user to login to my website. But that's not what I need. I need my server side application to be (stay) authenticated with Facebook and regularly fetch any new posts.

I found out that it should be possible to get a long-lived token by using page tokens, but right now I cannot even figure out how to authenticate using regular short-lived tokens.

So I set up a testing app to get an app ID and secret and went to Facebook Graph API Explorer to get the authentication token for the user I used to create the app.

Here is the basic code I'm using to test the connection Graph Api:

(...)
$fb = new \Facebook\Facebook([
    'app_id' => $app_id,
    'app_secret' => $app_secret,
    'default_graph_version' => '2.8',
    'default_access_token' => $app_access_token
]);

try {
    $response = $fb->get('/me');
} catch(\Facebook\Exceptions\FacebookResponseException $e) {
    echo 'Graph returned an error: ' . $e->getMessage();
    exit;
} catch(\Facebook\Exceptions\FacebookSDKException $e) {
    // When validation fails or other local issues
    echo 'Facebook SDK returned an error: ' . $e->getMessage();
    exit;
}

$me = $response->getGraphUser();

When I run my code I get this message:

Graph returned an error: Invalid appsecret_proof provided in the API argument

I've triple-checked that $app_id and $app_secret are the values given when I created the app and I've triple checked my access token (tried with my personal user token as well as the page token which I was able to get through the Graph API Explorer).

I found another SO thread suggesting that I should generate an appsecret proof manually, so I did this:

$appsecret_proof= hash_hmac('sha256', $app_access_token, $app_secret);

$fb = new \Facebook\Facebook([
    'app_id' => $app_id,
    'app_secret' => $appsecret_proof,
    'default_graph_version' => '2.8',
    'default_access_token' => $app_access_token
]);

I'm not sure if I should pass the $appsecret_proof to the app_secret or how I should use it. I'm still getting the same error with the code above.

Answer 1

   get facebook mutual friend with app user or non app user

    $access_token = "facebook user token";
    $facebook_id = "friend id";
    $app_secret = "facebook secret";
    $appsecret_proof = hash_hmac('sha256', $access_token, 
    $app_secret);


    $graph_url = "https://graph.facebook.com/" . $facebook_id . "?fields=context.fields(all_mutual_friends.fields(id,name,picture.width(200).height(200)))" . "&access_token=" . $access_token . "&appsecret_proof=" . $appsecret_proof;


    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, $graph_url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

    $output = curl_exec($ch);
    return $response_mutual = json_decode($output, true);
    curl_close($ch);