Hold on, this is going to be fast and smooth! I am playing with an Android Emluator for a few days now. One of the challenges was to mount FacebookOAuthGraph lib into Android. It turned out to be 1 hour task. Thanks to Flash-Core article and sHTiF and StageWebView. Long live AIR for Android! Follow the article for codes:

You do not need a callback.html file, as in previous AIR example, you can use non existing redirect_uri targeting correct domain + a simple extending of FacebookOAuthGraph:

package
{
    import flash.display.Stage;
    import flash.events.LocationChangeEvent;
    import flash.geom.Rectangle;
    import flash.media.StageWebView;

    import onboard.Controller;

    public class FacebookAndroid extends FacebookOAuthGraph
    {
        public var loader:StageWebView;
        public var stage:Stage; // this is the air application Stage

        public function FacebookAndroid()
        {
            super();
        }

        override public function connect():void
        {
            var bounds:Rectangle = new Rectangle(0,0,480,480);

            loader = new StageWebView();
            loader.addEventListener(LocationChangeEvent.LOCATION_CHANGING, onLocationChanging);
            loader.addEventListener(LocationChangeEvent.LOCATION_CHANGE, onLocationChange);
            loader.stage = stage;
            loader.viewPort = bounds;
            loader.loadURL(authorizationURL);
        }

        private function onLocationChanging(event:LocationChangeEvent):void
        {
            event.preventDefault();
            loader.loadURL(event.location);
        }

        private function onLocationChange(event:LocationChangeEvent):void
        {
            var hash:String = locationExtractHash(loader.location);
            var error:String = locationExtractError(loader.location);
            if(hash)
                confirmConnection(hash);
            if(hash || error)
                destroyLoader();
        }

        protected function locationExtractHash(url:String):String
        {
            var index:int = url.indexOf("#");
            if(index <= -1)
                return null;
            var hash:String = url.substr(index + 1);
            return hashToToken(hash) ? hash : null;
        }

        protected function locationExtractError(url:String):String
        {
            var index:int = url.indexOf("?");
            if(index <= -1)
                return null;
            var query:String = url.substr(index + 1);
            var variables:URLVariables = new URLVariables(query);
            return variables.hasOwnProperty("error") ? variables.error : null;
        }

        private function destroyLoader():void
        {
            loader.removeEventListener(LocationChangeEvent.LOCATION_CHANGING, onLocationChanging);
            loader.removeEventListener(LocationChangeEvent.LOCATION_CHANGE, onLocationChange);
            loader.dispose();
            loader = null;
        }
    }
}

How does this works? You do not need any callback.html, just generate some redirect_uri that correctly targets your domain, it can be anything, even 404.html, or asdf-foo-bar.html file that does not exist. Once the Facebook, redirects you back to the redirect_uri, the url contains access_token within url hash

http://domain/whatever-or-404.html#access_token=123

… now, if it does, it is parsed by locationExtractHash(), if it does not, the url contains error (user clicked Cancel button), the url contains error:

http://domain/whatever-or-404.html?error_reason=user_denied&error=access_denied&error_description=The+user+denied+your+request.

In case of error locationExtractError() parses and error. In both cases (error or access_token), the HTMLLoader window is closed and token is handled via confirmConnection(). Yeah, this way you can authorize !ANY! existing facebook application for your AIR app.

sHTiF also did a good job commenting all the functions, follow his the article to understand LocationChangeEvent listeners.

I was asked to make AIR compatibile version of FacebookOAuthGraph class. It was a nice little challenge for me, where I learn some new things about AIR. E.g. how easy it is to define the JavaScript callback directly from ActionScipt (HTMLLoader.window.methodName)… There are more ways to make authorization process work for you, I have chosen the one with popup window. In order to make FacebookOAuthGraph work for AIR, the short extending is required, instead of creating popup window from JavaScript, popup is created by HTMLLoader.createRootWindow (no ExternalInterface required)…

Lets start with the main AIR Application file:

<?xml version="1.0" encoding="utf-8"?>
<s:WindowedApplication xmlns:fx="http://ns.adobe.com/mxml/2009"
                       xmlns:s="library://ns.adobe.com/flex/spark"
                       xmlns:mx="library://ns.adobe.com/flex/mx"
                       applicationComplete="init()">
    <s:layout>
        <s:VerticalLayout />
    </s:layout>

    ... here comes the same content as in:
    "http://blog.yoz.sk/2010/05/facebook-graph-api-and-oauth-2-and-flash/"
    ...
    just change redirectURI to:
    "http://blog.yoz.sk/examples/FacebookOAuthGraph/aircallback.html"
    ...

</s:WindowedApplication>

Do not bother with callback.html (you do not need any, if you do, create an empty .html file) and make your Facebook class look something like this:

package
{
    import flash.display.NativeWindowInitOptions;
    import flash.events.Event;
    import flash.geom.Rectangle;
    import flash.html.HTMLLoader;
    import flash.net.URLRequest;

    public class Facebook extends FacebookOAuthGraph
    {
        public var loader:HTMLLoader;

        public function Facebook()
        {
            super();
        }

        override public function connect():void
        {
            var options:NativeWindowInitOptions = new NativeWindowInitOptions();
            var boundaries:Rectangle = new Rectangle(200,200,500,500);
            loader = HTMLLoader.createRootWindow(true, options, true, boundaries);
            loader.load(new URLRequest(authorizationURL));
            loader.addEventListener(Event.LOCATION_CHANGE, onLocationChange);
        }

        private function onLocationChange(event:Event):void
        {
            var hash:String = locationExtractHash(loader.location);
            var error:String = locationExtractError(loader.location);
            if(hash)
                confirmConnection(hash);
            if(hash || error)
                destroyLoader();
        }

        protected function locationExtractHash(url:String):String
        {
            var index:int = url.indexOf("#");
            if(index <= -1)
                return null;
            var hash:String = url.substr(index + 1);
            return hashToToken(hash) ? hash : null;
        }

        protected function locationExtractError(url:String):String
        {
            var index:int = url.indexOf("?");
            if(index <= -1)
                return null;
            var query:String = url.substr(index + 1);
            var variables:URLVariables = new URLVariables(query);
            return variables.hasOwnProperty("error") ? variables.error : null;
        }

        private function destroyLoader():void
        {
            loader.removeEventListener(Event.LOCATION_CHANGE, onLocationChange);
            loader.removeEventListener(MouseEvent.MOUSE_OVER, onMouseOver);
            loader.stage.nativeWindow.close();
            loader = null;
        }
    }
}

How does this works? You do not need any callback.html, just generate some redirect_uri that correctly targets your domain, it can be anything, even 404.html, or asdf-foo-bar.html file that does not exist. Once the Facebook, redirects you back to the redirect_uri, the url contains access_token within url hash

http://domain/whatever-or-404.html#access_token=123

… now, if it does, it is parsed by locationExtractHash(), if it does not, the url contains error (user clicked Cancel button), the url contains error:

http://domain/whatever-or-404.html?error_reason=user_denied&error=access_denied&error_description=The+user+denied+your+request.

In case of error locationExtractError() parses and error. In both cases (error or access_token), the HTMLLoader window is closed and token is handled via confirmConnection(). Yeah, this way you can authorize !ANY! existing facebook application for your AIR app.

Depricated version using JavaScript in callback

Keep the changes in main AIR Application file (see above), and make small changes in aircallback.html, in fact it got even simplier comparing to the original:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sk" lang="sk" dir="ltr">
<head>
	<script type="text/javascript">
	<!--
		confirmFacebookConnection(window.location.hash);
	//-->
	</script>
</head>
<body>
<p>You may now close this window.</p>
</body>
</html>

… finally some method changes in FacebookOAuthGraph class:

package
{
    import flash.display.NativeWindowInitOptions;
    import flash.events.Event;
    import flash.geom.Rectangle;
    import flash.html.HTMLLoader;
    import flash.net.URLRequest;

    import sk.yoz.net.FacebookOAuthGraph;

    public class Facebook extends FacebookOAuthGraph
    {
        public var loader:HTMLLoader;

        public function Facebook()
        {
            super();
        }

        override public function connect():void
        {
            var options:NativeWindowInitOptions = new NativeWindowInitOptions();
            var boundaries:Rectangle = new Rectangle(200,200,500,500);
            loader = HTMLLoader.createRootWindow(true, options, true, boundaries);
            loader.load(new URLRequest(authorizationURL));
            loader.addEventListener(Event.HTML_DOM_INITIALIZE, onDOMInit);
        }

        private function onDOMInit(event:Event):void
        {
            loader.window[jsConfirm] = confirmConnection;
        }

        override public function confirmConnection(hash:String):void
        {
            super.confirmConnection(hash);
            loader.stage.nativeWindow.close();
        }
    }
}

What it does is, it pushes JavaScript callback into HTMLLoader that is called via aircallback.html JavaScript…

Where to go from here:

• Making ActionScript objects available to JavaScript
• Creating Windows in HTML and JavaScript AIR Applications
• How to access an iframe in an Adobe AIR application?
• Tweetr Tutorials: Pinless OAuth in AIR
• AIR and authentification on Facebook

Hi folks! Today, while mounting some of my projects into AIR, I realized that it would be great if I could pusblish AIR badges over Facebook. You know what? That is possible! I have created a simple flex application + facebook application that, based on parameters, generates AIR badge for an app. Now its time to share the stuff with you, feel free to publish your AIR badges, and let me know how do you like it.

How to use it?

1. Use application inserted below, or open (and bookmark) it in new window, or use AIR publisher facebook application
2. click connect (if using facebook application it connects you automatically)
3. fill desired parameters (click “fill example” button to demonstrate working parameters for one of my applications)
4. click “publish” button
5. wait for Alert with publishing status (displays post id if succeeded)

By default it publishes AIR badge directly into your facebook stream (wall), plus if you click “Like” on my facebook application (facebook restriction), it also publishes the badge into AIR publisher application wall.

How would your facebook post look like?

https://graph.facebook.com/oauth/authorize
    ?client_id=268718683475
    &redirect_uri=http://apps.facebook.com/blogoauthgraph/
    &scope=publish_stream,user_photos,user_photo_video_tags

… where facebook authorized your app and redirects back to the:

http://apps.facebook.com/blogoauthgraph/
    ?session=123456...

… where session was valid access_token.

Since today the mechanism changed into something like this:

https://graph.facebook.com/oauth/authorize
    ?client_id=268718683475
    &redirect_uri=http://apps.facebook.com/blogoauthgraph/
    &scope=publish_stream,user_photos,user_photo_video_tags

… redirects you to the:

http://apps.facebook.com/blogoauthgraph/
    ?code=2.YndguK...

… while you do not have valid session (access_token), you have to do the following request:

https://graph.facebook.com/oauth/access_token
    ?client_id=268718683475
    &redirect_uri=http://apps.facebook.com/blogoauthgraph/
    &client_secret=YOURSECRET
    &code=2.YndguK...

… now facebook responds with:

access_token=268718683475|2.Yndgu...&expires=86183

Notice, this is the response, not the redirect! Now its time to grab the access_token and use it in your app. This change has direct impact on Authorizing Iframe Facebook Applications For Graph API article.

There have also been some other unannounced changes e.g. in facebook app settings in migrations tab “Remove fb_sig” toggler…

Credits goes to my readers Adam Cousins, David Bardos, Garcimore, Etienne for noticing the changes.

I have just spotted quick fix. All you need to do is add type=user_agent into your auth request:

https://graph.facebook.com/oauth/authorize
    ?client_id=268718683475
    &redirect_uri=http://apps.facebook.com/blogoauthgraph/
    &scope=publish_stream,user_photos,user_photo_video_tags
    &type=user_agent

… now facebook redirects you to:

http://apps.facebook.com/blogoauthgraph/
    ?access_token=123456...
    &expires_in=86729

This token is valid! I have updated the article with this quickfix.

updated Jul 22, 2010: Facebook rollbacked the change and added “Canvas Session Parameter” parameter in facebook app settings / Migrations tab. With this setting enabled, your apps should work normally as they previously did.

While The Facebook Graph API article becomes pretty popular and a lot of developers keep asking me to publish some practices I use, I managed to create this blog post. Here is a list o some functions you may want to extend FacebookOAuthGraph Class with.

Extending & Singletonize

First, lets make our class singleton, so the whole flash project can simply access and use one instance

public class Facebook extends FacebookOAuthGraph
{
    private static const _instance:Facebook = new Facebook();
    public function Facebook()
    {
        super();
        useSecuredPath = true;
        if(instance)
            throw new Error("Use Facebook.instance!");
    }

    public static function get instance():Facebook
    {
        return _instance;
    }
    ....
}

Now anywhere in your project:

var facebook:Facebook = Facebook.instance;

Auto Execution After Authorization:

Lets say, when user clicks on publish post before your application is connected, just make connect() followed by desired function:

if(!facebook.authorized)
    facebook.connect();
facebook.publishPost(...)

publishPost() automatically executes again after connected thanks to Callbacks class

import sk.yoz.utils.Callbacks;

private function onAuthorized(event:FacebookOAuthGraphEvent):void
{
	Callbacks.execute("FBstuff");
}

public function publishPost(...):void
{
    if(!authorized)
        return Callbacks.add(this, arguments.callee, arguments, "FBstuff");

    // here continues the function code
    ...
}

Application Friends

Lets get list of friends using the application:

private function getAppFriends():void
{
	var data:URLVariables = new URLVariables();
	data.query = "SELECT uid, name, pic_square " +
			"FROM user " +
			"WHERE uid IN " +
				"(SELECT uid2 FROM friend WHERE uid1=" + me.id + ") " +
				"AND is_app_user";

	var loader:URLLoader = call("method/fql.query", data,
		URLRequestMethod.POST, null, "https://api.facebook.com");
	loader.addEventListener(FacebookOAuthGraphEvent.DATA, onGetAppFriends);
}

private function onGetAppFriends(event:FacebookOAuthGraphEvent):void
{
	var xml:XML = new XML(event.rawData);
	var ns:Namespace = xml.namespace();
	default xml namespace = ns;
	xml.namespace(ns.prefix);
	xml.ignoreWhite = true;
	for each(var user:XML in xml.user)
	{
		user.uid.toString();
        user.name.toString();
		...
    }
    default xml namespace = new Namespace("");
}

Publishing Feeds

Publish feed with image:

public function publishPost(message:String, attachmentName:String,
	attachmentDescription:String):void
{
	var media:Object = {};
	media.src = "http://mydomain.com/feedimage.jpg";
	media.href = "http://apps.facebook.com/myapp";
	media.type = "image";

	var attachment:Object = {};
	attachment.name = attachmentName;
	attachment.href = "http://apps.facebook.com/myapp";
	attachment.description = attachmentDescription;
	//attachment.caption = "test caption";
	attachment.media = [media];

	var data:URLVariables = new URLVariables();
	data.message = message;
	data.attachment = JSON.encode(attachment);

	call("method/stream.publish", data, URLRequestMethod.POST,
		null, "https://api.facebook.com");
}

Publish feed with flash:

public function publishFlash(message:String, href:String, swfSrc:String,
	mediaSrc:String, attachmentName:String, attachmentCaption:String,
	attachmentDescription:String, properties:Object=null):void
{
	var media:Object = {};
	media.type = "flash";
	media.swfsrc = swfSrc;
	media.imgsrc = mediaSrc;
	//media.width = "80";
	//media.height = "80";
	media.expanded_width = "460";
	media.expanded_height = "460";

	var attachment:Object = {};
	attachment.name = attachmentName;
	attachment.href = href;
	attachment.caption = attachmentCaption;
	attachment.description = attachmentDescription;
	attachment.media = [media];
	attachment.properties = properties; // action links
	// properties {prop1:{text: "value 1", href:"http://"}, prop2:...};

	var data:URLVariables = new URLVariables();
	data.message = message;
	data.attachment = JSON.encode(attachment);

	call("method/stream.publish", data, URLRequestMethod.POST, null,
		"https://api.facebook.com");
}

Publish feed with action links:

var properties:Object = {};
properties.MOVE = {
	text: "mouse drag",
	href:config.urlManager.boardURL};
properties.ZOOM = {
	text: "double click, [Page Up], [Page Down]",
	href:config.urlManager.boardURL};
properties.ROTATE = {
	text: "[Ctrl] + mouse move",
	href:config.urlManager.boardURL};

attachment.properties = properties;

Publishing feed using Graph API (docs, from facebook bugzilla):

• forget everything related to the old “media” stuff of the attachment
• put what you had in swfsrc into source (mandatory)
• put what you had in imgsrc into picture (mandatory)
• link is mandatory also and must points to the connect or canvas URL
• Feed arguments: message, picture, link, name, caption, description, source

Uploading Photo

This is a piece of working code from Sean, more upload handling functions and album creating can be found here. thnx Sean:

// MultipartURLLoader by Eugene Zatepyakin can be found here: http://bit.ly/9wx4q7
public function uploadImageCall(bytes:ByteArray, message:String):MultipartURLLoader
{
    var mpLoader:MultipartURLLoader = new MultipartURLLoader();
    mpLoader.addVariable("message", message);
    mpLoader.addFile(bytes, "image.jpg", "image");
    loaderAddListeners(mpLoader.loader);
    mpLoader.load(apiSecuredPath + "/me/photos?access_token="+ token);
    return mpLoader;
}

Palming Token

When localy debuging your app you may want to palm off custom access_token:

if(parameters.debug)
    facebook.hackToken(parameters, "110363ABXY..."); // copypaste from callback.html hash
facebook.autoConnect(parameters);

in Facebook.as:

public function hackToken(parameters:Object, token:String):Object
{
	if(!parameters.session)
		parameters.session = JSON.encode({
			access_token:String(token).replace(/\%7C/g, "|")});
	return parameters;
}

Advanced Crossdomain Working Authorization

Or if you prefer or need advanced callback, that works crossdomain, and also for local debuging: callback.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sk" lang="sk" dir="ltr">
<head>
	<script type="text/javascript" src="js/swfobject.js"></script>
	<script type="text/javascript">
	<!--
		if(window.opener && window.opener.confirmFacebookConnection){
			window.opener.confirmFacebookConnection(window.location.hash);
			self.close();
		}else{
			var flashvars = {};
			flashvars.connectionName = "_facebookConnector";
			flashvars.methodName = "confirmConnection";
			flashvars.hash = window.location.hash;

			swfobject.embedSWF("flash/Callback.swf", "flash", "1", "1", "10.0.0",
				"expressInstall.swf", flashvars, {}, {});
		}
	//-->
	</script>
</head>
<body>
	<p>You may now close this window.</p>
	<div id="flash"></div>
</body>
</html>

universal callback.swf (741 Bytes) main class:

package
{
    import flash.display.Sprite;
    import flash.net.LocalConnection;

    public class Callback extends Sprite
    {
        public function Callback()
        {
            super();
            var parameters:Object = loaderInfo.parameters
            var localConnection:LocalConnection = new LocalConnection();
            localConnection.send(
                parameters.connectionName,
                parameters.methodName,
                parameters.hash);
        }
    }
}

facebook.as class:

private var localConnection:LocalConnection;

override public function connect():void
{
	super.connect();

	if(!localConnection)
	{
		localConnection = new LocalConnection();
		localConnection.client = this;
		localConnection.allowDomain("*");
		localConnection.allowInsecureDomain("*");
		localConnection.connect("_facebookConnector");
	}
}

private function onAuthorized(event:FacebookOAuthGraphEvent):void
{
	// listener defined in Facebook constructor:
	// addEventListener(FacebookOAuthGraphEvent.AUTHORIZED, onAuthorized);

	try
	{
		localConnection.close();
		localConnection = null;
	}
	catch(error:Error){}
}

Getting All The Photos Of All Albums Of 1 User

Credits to Etienne, thnx

function getAllphotos(uid:String):void {
	var data:URLVariables = new URLVariables();
	data.query = "SELECT src_small, src_big " +
		"FROM photo " +
		"WHERE aid IN ( SELECT aid FROM album WHERE owner='"+HERE PUT THE USER ID+"' )"
	var loader:URLLoader = facebook.call("method/fql.query", data,URLRequestMethod.POST,
		null, "https://api.facebook.com");
	loader.addEventListener(FacebookOAuthGraphEvent.DATA, onGetAllphotos);
}

Tagging photos

This script uses photos.addTag – part of old REST api (some more reading):

var data:URLVariables = new URLVariables();
data.pid = photoID;
data.tag_uid = userID; // user on photo we are tagging
data.x = 50; // 50% means center
data.y = 50; // 50% means middle
call("method/photos.addTag", data, URLRequestMethod.GET, null, "https://api.facebook.com");

Important: Graph API upload call returns the object_id. In order to get pid you have to lookup in photo table:

SELECT pid FROM photo WHERE object_id=response.id

Catching verify token error

In order to catch the ERROR event with verifyToken() method Nils suggested the following:

override public function verifyToken(token:String):URLLoader
{
    var loader:URLLoader = super.verifyToken(token);
    loader.addEventListener(FacebookOAuthGraphEvent.ERROR,
        function(event:FacebookOAuthGraphEvent):void
        {
            _authorized = false;
            _me = null;
            _token = null;
            EventDispatcher(event.currentTarget)
                .removeEventListener(event.type, arguments.callee);
            var type:String = FacebookOAuthGraphEvent.UNAUTHORIZED;
            dispatchEvent(new FacebookOAuthGraphEvent(type));
        });
    return loader;
}

This article continues my exploration of best facebook graph api integration into your flash app. Before continue reading, make sure you understand the previous article. Due to huge interest, I am adding codes that makes your flash app working with graph api within facebook iframe. Try this app live on http://apps.facebook.com/blogoauthgraph/, notice once you get there, you are redirected to grant permissions (if not authorized or granted already) and then redirected back to the app, where you are connected and ready to use graph api.

What I did was changing one line of ActionScript, I added autoConnect() methods that sends app flashvars directly into FacebookOAuthGraph object.

var facebook:FacebookOAuthGraph = new FacebookOAuthGraph();
...
facebook.autoConnect(parameters); // passing flashvars

See full ActionScript code for details.

Now there is a different html wrapper for facebook iframe – facebook.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="cs" xml:lang="cs">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="Content-language" content="cs" />
    <title>FacebookOAuthGraphTest</title>
    <script type="text/javascript" src="js/swfobject.js"></script>
    <script type="text/javascript">
        //<![CDATA[
		function allRequestParameters()
		{
			var data = {};
			var strHref = window.location.href;
			if ( strHref.indexOf("?") > -1 ) {
				var strQueryString = strHref.substr(strHref.indexOf("?")+1);
				var aQueryString = strQueryString.split("&");
				for ( var iParam = 0; iParam < aQueryString.length; iParam++ ) {
					var aParam = aQueryString[iParam].split("=");
					data[aParam[0]] = aParam[1];
				}
			}
			return data;
		}

		function generateFlash()
		{
			var flashvars = allRequestParameters();
			flashvars.session = '{"access_token":"' + signed_request.oauth_token + '"}';

			var params = {
				allowScriptAccess: "sameDomain"
			};

			var attributes = {
				id: "FacebookOAuthGraphTest",
				name: "FacebookOAuthGraphTest"
			};

			swfobject.embedSWF("FacebookOAuthGraphTest.swf?v=2", "alternative", "100%", "100%", "10.0.0",
				"expressInstall.swf", flashvars, params, attributes);
		}

		<?php
		$signed_request = $_REQUEST["signed_request"];
		list($encoded_sig, $payload) = explode('.', $signed_request, 2);
		$data = base64_decode(strtr($payload, '-_', '+/'));
		echo "var signed_request=" . $data . ";";
		?>

		if(!signed_request.oauth_token){
			window.top.location = "https://www.facebook.com/dialog/oauth"
				+ "?client_id=" + '268718683475'
				+ "&redirect_uri=" + 'http://apps.facebook.com/blogoauthgraph/'
				+ "&scope=publish_stream,user_photos,user_photo_video_tags"
				+ "&response_type=token";
		}else{
			generateFlash();
		}
        //]]>
    </script>
    <style>
        body {margin:0px;overflow:hidden}
        html, body, object, embed {width:100%;height:100%;outline:none;}
    </style>
 </head>
 <body style="text-align:center;">
    <div id="alternative">
        <a href="http://www.adobe.com/go/getflashplayer">
            <img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" />
        </a>
    </div>
</body>
</html>

There are few lines of code to be mentioned:

• getRequestParameter(name) – returns GET parameter from iframe url, you can use your own functions
• allRequestParameters() – returns object consisting of all iframe GET parameters, used to pass flashvars into our flash
• php code to define javascript signed_request variable containing valid token
• window.top.location – if there is no token parameter found (not authorized yet), you are redirected to the facebook authorization. Do not forget to change client_id and redirect_uri when using for your app.

Facebook settings:

App ID: 268718683475
Site URL: http://blog.yoz.sk/examples/FacebookOAuthGraph/
Site Domain: yoz.sk
Canvas Page: http://apps.facebook.com/blogoauthgraph/
Canvas URL: http://blog.yoz.sk/examples/FacebookOAuthGraph/facebook.php?a=b
Canvas FBML/iframe: iframe

Disable Deprecated Auth Methods: Enabled
Stream post URL security: Disabled
OAuth 2.0 for Canvas: Enabled
POST for Canvas: Enabled
Canvas Session Parameter (Deprecated): Disabled
November 2010 Rollup: Enabled
Timezone-less events: Enabled
Upgrade to Requests 2.0: Enabled
JSON Encoding Empty Arrays: Enabled

Here is the final facebook app http://apps.facebook.com/blogoauthgraph/

updated Jul 21, 2010: Quickfix for late facebook changes:

updated Jul 22, 2010: Facebook rollbacked the change and added “Canvas Session Parameter” parameter in facebook app settings / Migrations tab. With this setting enabled, your apps should work normally as they previously did.

updated Mar 16, 2011: Catching token from POST parameter.

As previously mentioned, facebook released a new Graph API. It is based on OAuth 2.0 protocol (old authorization token also works). While it is fresh thing, there is no much ActionScript stuff around, so I came with FacebookOAuthGraph class. This class is meant to be used as an abstract class, while it contains just the basic authentication algorithm and call method to request data. It stores access token in SharedObject, so next time you came into app, you get connected on background without noticing (no popup etc.). Your token should expire in 24 hours.

Here is the code for the following flex app, to make it work, get latest FacebookOAuthGraph and FacebookOAuthGraphEvent classes.

<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="vertical"
    applicationComplete="init()">
<mx:Script>
<![CDATA[

    import sk.yoz.events.FacebookOAuthGraphEvent;
    import sk.yoz.net.FacebookOAuthGraph;

    // facebook Application ID
    private var clientId:String = "268718683475";

    // path to our callback
    private var redirectURI:String =
        "http://blog.yoz.sk/examples/FacebookOAuthGraph/callback.html";

    // required extended permissions
    private var scope:String = "publish_stream,user_photos,user_photo_video_tags";

    private var facebook:FacebookOAuthGraph = new FacebookOAuthGraph();

    [Bindable] private var connected:Boolean;

    private function init():void
    {
        facebook.clientId = clientId;
        facebook.redirectURI = redirectURI;
        facebook.scope = scope;
        facebook.useSecuredPath = true;
        facebook.addEventListener(FacebookOAuthGraphEvent.AUTHORIZED, authorized);

        // stage.root.loaderInfo.parameters
        facebook.autoConnect(parameters);

        log.text += "checkSavedToken()\n";
    }

    private function connect():void
    {
        facebook.connect();

        log.text += "connect()\n";
    }

    private function authorized(event:FacebookOAuthGraphEvent):void
    {
        connected = true;

        log.text += "authorized\n";
    }

    private function call(path:String, binary:Boolean):void
    {
        var loader:URLLoader = facebook.call(path);
        loader.dataFormat = binary
            ? URLLoaderDataFormat.BINARY
            : URLLoaderDataFormat.TEXT;
        loader.addEventListener(FacebookOAuthGraphEvent.DATA, callComplete);
        log.text += "call(" + path + ")\n";
    }

    private function changeStatus(message:String):void
    {
        var data:URLVariables = new URLVariables();
        data.message = message;
        var method:String = URLRequestMethod.POST;
        var loader:URLLoader = facebook.call("me/feed", data, method);
        loader.addEventListener(FacebookOAuthGraphEvent.DATA, callComplete);
        log.text += "changeStatus(" + message + ")\n";
    }

    private function callComplete(event:FacebookOAuthGraphEvent):void
    {
        log.text += "call completed -> see result\n";

        if(event.rawData is ByteArray)
        {
            var loader:Loader = new Loader();
            loader.loadBytes(event.rawData as ByteArray);
            loader.contentLoaderInfo.addEventListener(Event.COMPLETE,
                function():void
                {
                    image.source = loader;
                });
        }
        else
        {
            result.text = event.rawData.toString();
        }
    }
]]>
</mx:Script>
<mx:HBox>
    <mx:Button click="connect()" label="connect" />
    <mx:Text text="{connected ? 'connected' : 'not connected'}" />
</mx:HBox>
<mx:HBox visible="{!connected}" includeInLayout="{!connected}">
    <mx:Text text="#access_token=121161974560905%7C2..." />
    <mx:TextInput id="hash" />
    <mx:Button label="add hash" click="facebook.confirmConnection(hash.text)"/>
</mx:HBox>
<mx:HBox>
    <mx:TextInput id="path" text="me" />
    <mx:Button label="call" click="call(path.text, false)" enabled="{connected}"/>
    <mx:Spacer width="20" />
    <mx:TextInput id="path2" text="me/picture" />
    <mx:Button label="call binary" click="call(path2.text, true)" enabled="{connected}"/>
</mx:HBox>
<mx:HBox>
    <mx:TextInput id="status" text="testing FacebookOAuthGraph" />
    <mx:Button label="change status" click="changeStatus(status.text)" enabled="{connected}"/>
</mx:HBox>
<mx:HDividedBox width="100%" height="100%">
    <mx:TextArea width="30%" height="100%" id="log"/>
    <mx:TextArea width="70%" height="100%" id="result"/>
    <mx:Image id="image" />
</mx:HDividedBox>
</mx:Application>

Make sure your html wrapper defines correct allowScriptAccess and both id and name for <object> tag. This enables ExternalInterface.objectID. With swfobject use:

var params = {
    allowScriptAccess: "sameDomain"
};

var attributes = {
    id: "FacebookOAuthGraphTest",
    name: "FacebookOAuthGraphTest"
};
swfobject.embedSWF("FacebookOAuthGraphTest.swf", "alternative", "100%", "100%", "10.0.0",
    "expressInstall.swf", flashvars, params, attributes);

callback.html pushes url hash into flash app. When running this application from desktop (creating/debugging), your callback.html located on public domain has no access to its opener (different domain – XSS), so you need to pass access_token manualy into <TextInput id=”hash”>, but once your flash application is on the same domain with callback, it works automaticaly.

callback.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sk" lang="sk" dir="ltr">
<head>
	<script type="text/javascript">
	<!--
		if(window.opener && window.opener.confirmFacebookConnection)
		{
			window.opener.confirmFacebookConnection(window.location.hash);
			self.close();
		}
	//-->
	</script>
</head>
<body>
<p>You may now close this window.</p>
</body>
</html>

Click connect and allow facebook application. Facebook redirects to callback.html that pastes hash into flash and closes popup. Now you are authenticated. Next time you visit this flash application (refresh this page) you will get authenticated in background (if your access token is still valid). Notice, some graph api calls returns JSON objects (me), other may return binary data (me/picture). For now it may take some time to finish calls (5 second or more), but I hope facebook will soon make it fast.

You get your JSON decoded data via event.data. Just make sure you do not try to decode ByteArray (eg. me/picture)

// call("me")
private function callComplete(event:FacebookOAuthGraphEvent):void
{
    trace(event.data.name);
}

Some calls to test:

Friends:             me/friends
News feed:           me/home
Profile feed (Wall): me/feed
Likes:               me/likes
Movies:              me/movies
Books:               me/books
Notes:               me/notes
Photos:              me/photos
Videos:              me/videos
Events:              me/events
Groups:              me/groups

Additional information about my facebook app (see all settings):

Application ID:         268718683475
App Domain:              yoz.sk
Website / Site URL:      http://blog.yoz.sk/examples/FacebookOAuthGraph/
App on FB / Canvas URL:  http://blog.yoz.sk/examples/FacebookOAuthGraph/facebook.php?a=b
Page Tab / Page Tab URL: http://blog.yoz.sk/examples/FacebookOAuthGraph/facebook.html?
Canvas type:             iframe
Developer Mode:          Off
App Type:                Native/Desktop
Sandbox Mode:            Disabled
Remove Deprecated APIs:  Enabled
signed_request for Canvas: Enabled
Timezone-less events:    Enabled
Encrypted Access Token:  Enabled
...other Migrations:     Disabled

Based on facebook access token, it should be valid approximately for 24 hours. Notice the bold part, works as expiration time (unix time format). Use FacebookOAuthGraph.tokenToExpiration() to parse Date:

access_token=268718683475%7C2.w3fjqz80Xi1CdBXt7Ygh6A__.86400.1273158000-1215645368%7CDGv2l2HtTymd6cM6Fy_8k6P_8CQ.

Important update: May 19, 2010: Application is working again. Due to massive support in bug tracker (thanks all for your votes), facebook devs changed secured crossdomain.xml, so it allows unsecured requests. changeStatus() method added into example and some minor changes in FacebookOAuthGraph class (please update).

Here is what happend and why this app was not working for a while:

• May 11, 2010: facebook changed rules, so requests on unsecured graph service (via http://graph.facebook.com…) were limited to just those without access_token parameter. Requets to secured service (https://graph.facebook.com) resulted in security violation due to missing secure=”false” parameter in crossdomain.xml
• May 12, 2010: bug submitted
• May 12, 2010 – May 14, 2010: massive bug voting
• May 14, 2010: Bug confirmed by facebook dev team
• May 19, 2010: Bug fixed, crossdomain file changed

I am glad that facebook devs listens and care.

FAQ

Is there a .fla version available?

Yes, there is a simple working Flash CS4 archive available for download (.fla + all sources). The demo connects the facebook application and once connected, it uploads generated picture into photo album.

How can I use this class in my iframe canvas page?

Please read article Authorizing Iframe Facebook Applications For Graph API

How can I make this class do more advanced things and what are the best practices?

Please read article Extending FacebookOAuthGraph Class, where all the most comon extendings are described.

When I connect with this app in one browser (firefox), and I run another browser (chrome) I get automatically connected. Why?

Your authorization token is stored in SharedObject, that is OS-user persistent (eg. windows user). No matter what browser you run, all of those reads data from one SharedObject. If you need cookie or session persistent authorization, please extend my class and override methods that use SharedObject.

How to add request parameters into my call?

Pass URLVariables object as a second parameter to call() method:

// eg. in order to make this call "me/picture?type=large", do the following:
var data:URLVariables = new URLVariables();
data.type = "large"
call("me/picture", data);

Why I can not access me/photos?

Facebook has changed rules again. You also need “user_photo_video_tags” permission within your app. I have already added it into my app, so please remove your browser cache, refresh and click connect button again (even if you are connected already). Now it should work.

How to upload photo with graph api?

This is a piece of working code from Sean, thnx Sean:

// MultipartURLLoader by Eugene Zatepyakin can be found here: http://bit.ly/9wx4q7
public function uploadImageCall(path:String, ba:ByteArray, message:String, token:String=null):MultipartURLLoader
{
    var mpLoader:MultipartURLLoader = new MultipartURLLoader();
    mpLoader.addVariable("message", message);
    mpLoader.addFile(ba, "image.jpg", "image");
    loaderAddListeners(mpLoader.loader);
    mpLoader.load(apiSecuredPath + "/me/photos?access_token="+ token);
    return mpLoader;
}

Can I make fql calls with this class?

However graph api does not implement fql calls, you can make fql calls using this class. The resulted data are not JSON but XML:

var data:URLVariables = new URLVariables();
data.query = "SELECT uid, name FROM user WHERE uid = XXX"; // insert your uid
var loader:URLLoader = facebook.call("method/fql.query", data,
    URLRequestMethod.POST, null, "https://api.facebook.com");
loader.addEventListener(FacebookOAuthGraphEvent.DATA, fqlComplete);

private function fqlComplete(event:FacebookOAuthGraphEvent):void{
        var xml:XML = new XML(event.rawData);

For fqlComplete method, please read Parsing FQL result article.

Can I post feeds with attachments?

Graph API has not documented attachment functionality for feeds, anyway, you can publish streams with attachments with this class as simple as:

var media:Object = {};
media.type = "flash";
media.swfsrc = "http://zombo.com/inrozxa.swf";
media.imgsrc = "http://blog.yoz.sk/wp-content/uploads/3d-150x150.jpg";
media.width = "80";
media.height = "80";
media.expanded_width = "120";
media.expanded_height = "120";

var attachment:Object = {};
attachment.name = "test name";
attachment.href = "http://blog.yoz.sk"
attachment.description = "test description";
attachment.caption = "test caption";
attachment.media = [media];

var data:URLVariables = new URLVariables();
data.message = "test message";
data.attachment = JSON.encode(attachment);

facebook.call("method/stream.publish", data, URLRequestMethod.POST, null, "https://api.facebook.com");

How can I develop my app locally when callback only works on the domain?

While callback is not able to push access_token into your app on runtime, I just copy access_token value into my code and publish again:

if(!parameters.session)
parameters.session = JSON.encode({
    access_token:String("123864964303507%7C2._pSS7WlemeGB9M0RV8Vnuw__.3600.1276246800-1215645368%7C-kYjWPx4MR6DXc5Clcnv5kXX3t4.")
        .replace(/\%7C/g, "|")
});
facebook.autoConnect(parameters);

Hi Is there a way to implement a “i Like” button with your class?

Sorry, you can not use graph API to like stuff, there is no method for that. Even by testing like request:

href: http://www.facebook.com/pages/***
node_type: page
edge_type: like
page_id: 12345
action_text
now_connected: true
nctr[_mod]: connect
post_form_id: 123ABF***********
fb_dtsg: TAfAJ
post_form_id_source: AsyncRequest

… post_form_id is some static required parameter that you can not guess.

This example app works with Internet Explorer, but my one results in Error #2032

Please complie your app to Flash Player 10 (or later). It should fix this issue. Credits goes to Garcimore , thnx. The issue has been identified as header Content-Type: application/json, that is returned from facebook. Suggested workaround (by facebook dev team) is to use POST variables with your requests, however it is reported as not working solution.

I can not make it run in my Mac-Safari sonfiguration

It seems there is a bug in Safari on Mac that does not let you open popup via ExternalInterface. You should use navigateToURL() in that case. Credits goes to Beans, thank you. More instructions here.

var js:String = "return window.navigator.userAgent.indexOf('Safari') > -1);"
if(ExternalInterface.call("function(){" + js + "}")){
   // safari specific code

Few days before while I was working on TwitterLogger Class for ActionScript 3 I discovered OAuth – an open protocol to allow secure API authorization . While reading all the stuff about OAuth and PHP SDKs, I noticed one statement somewhere (can’t find it nowhere) that Facebook was in fact using OAuth for its Facebook Connect tool but some derived version. This has now changed! Facebook is standardizing communication and authorization by introducing Open Graph and OAtuh 2.0.

F8 is a Facebook conference to bring together the developers and entrepreneurs who are building the social Web by moving fast, taking risks, and hacking traditional systems. In April 21, 2010, in F8 conference a few interesting things have been mentioned about the new Facebook API. Facebook CEO Mark Zuckerberg announced that the Facebook Connect brand would be eliminated as part of the launch of Open Graph.

Update (May 5, 2010): I have created Facebook Graph API & OAuth 2.0 & Flash – FacebookOAuthGraph ActionScript 3 class to use with OAuth 2.0 and Graph

Open Graph

The Open Graph API will allow any page on the Web to have all the features of a Facebook Page – users will be able to become a Fan of the page, it will show up on that user’s profile and in search results, and that page will be able to publish stories to the stream of its fans. (Facebook Roadmap Open Graph API)

Open Graph protocol also introduces <meta> tags, that allows you to specify structured information about your web page when used with like button etc.

Here are some url examples of Graph API usage:

http://graph.facebook.com/[USERID]          - user’s graph for your app
http://graph.facebook.com/[USERID]/friends  - access to user’s friends
http://graph.facebook.com/[USERID]/likes    - access user’s likes

By default these requests return JSON objects, but I guess there is a parameter to be passed to get xml instead (my guess).

Cool thing about this is there is a benevolent crossdomain file on http://graph.facebook.com/crossdomain.xml:

<cross-domain-policy>
    <allow-access-from domain="*"/>
    <site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

Some of those returns “OAuthAccessTokenException” thats where new OAuth comes in scene.

OAuth 2.0

Second thing noticed was that the company is standardizing the authorization via the OAuth 2.0 standard. The important thing here is, OAuth is already available for all existing Facebook APIs, and there are multiple methods to get authenticated with OAuth in Facebook. Check out the PHP example code example code for authentication on GitHub. Difference to previous connect is that sessions may last longer than 24 hours.

Lets hope there will be new version of Facebook ActionScript API released soon enough with all these new features…

Where to go from here:

• Facebook Authentication
• Graph API reference
• Facebook Open Graph: What it Means for Privacy

The Rubik’s Cube is a 3-D mechanical puzzle invented in 1974 by Hungarian sculptor and professor of architecture Ernő Rubik. My latest project was to create a 3D engine (I have used papervision) based on this logic + integrate with facebook. Finally, the game is ready and you can play s.Oliver ‘s Cube on Facebook.