Your SlideShare is downloading. ×
0
Application
Programming
Interface

Facebook

http://www.slideshare.net/fabricedelhoste

Twitter
fabrice@delhoste.com

Face...
Content
•

API

•

Social Networks

•

Facebook

•

Twitter

2
Warning

These slides are for training or educational purposes.
They do not replace reference documentation.
!
This is my ...
API

Application Programming Interface
API?
•

Application Programming Interface

•

Software-to-software contract

•

Defines the interactions between components...
API
A good API can provide…
•

Flexibility

•

Security

•

Ease of use

•

Simplicity
Modern software are made of APIs

•...
API
Design Patterns
•

Separating interface from implementation
!

•

Façade design pattern
•

A simplified interface to a ...
API
Platform
•

Developers can be:
•
•

•

customers
channels to customers

Offering them friendly helpful API is business...
API
Cloud Computing
•

Infrastructure-as-a-Service (IaaS) - infra level
•

•

Platform-as-a-Service (PaaS) - service level...
API
General Recommendations
•

Try test-driven design
•

Think about what client really needs, not what your server can of...
API
Practical Work
•

Real world use case analysis
•

What would you have done?

11
HTTP

Quick Overview
HTTP
•

Application protocol for distributed hypermedia systems.
•

Request / response

•

Stateless

•

Media independent...
HTTP
Request Format
•

Request line

•

Request headers

•

Empty line.

•

Optional message body.

POST /1.1/lists/create...
HTTP
Response Format
•

Status line

•

Response headers

•

Empty line

•

Optional message body

HTTP/1.1 200 OK	
conten...
HTTP
URL - Unified Resource Locator
Not sent to server.

Only browser.

HTTP: clear 

HTTPS: encrypted

URL (or Percent) en...
HTTP
Verbs (methods)
•

GET: retrieve a resource

Others

•

•

•

HEAD: GET without body

•

•

safe: it must not modify ...
HTTP
Headers
•

General header: for both request and response messages.
•

•

Request header: only for request messages.
•...
HTTP
Request Parameters
•

For GET, part of the URL query string as field / value pairs
•

•

field1=value1&field2=value2&fiel...
HTTP
Status Codes
•

1xx: Informational

•

2xx: Successful

4xx: Client Error
•

400: Bad Request

•

401: Unauthorized

...
HTTP
Security
•

Authorization Header
•

Allows different kind of authentication : basic, digest, oauth

•

Authorization:...
HTTP
Disclaimer

HTTP Requests are NOT purely written to ease readability.
!

In particular:
- they do NOT strictly respec...
Postman

Chrome App - Handy HTTP Client
Postman

24
API
Practical Work
•

Download and install Google Chrome

•

Download and install Postman (Packaged app)
•
•

•

http://ww...
REST

Designing Lightweight APIs
REST
•

REpresentational State Transfer

•

Defined by HTTP 1.0 & 1.1 author (Roy Fielding)

•

Architectural style

•

RES...
REST
Main Principles
•

Identify everything with an identifier

•

Link things together

•

Use standards

•

Resources wit...
REST
Characteristics
•

Lightweight

•

Scalable

•

Simple

•

Flexible

•

Readable

•

Reliable

•

Efficient

•

Portab...
REST
HTTP-based
•

Easy SOA (Service-Oriented Architecture)
•

•

SOAP is another way… often cumbersome

Pragmatic approac...
REST
RESTful Constraints
•

Client-server: separation of concerns, separate interface from implementation

•

Stateless se...
REST
CRUD
•

POST = CREATE

•

GET = READ

•

PUT = UPDATE

•

DELETE = DELETE

•

Alternative: POST /dogs?method=delete
•...
REST
Resources
•

Use nouns, no verb

•

Plural: /dogs

•

Concrete: /dogs instead of /animals

•

Use Javascript naming c...
REST
Collections
•

2 base URLs per resource

•

Collection
•

•

/dogs

Element
•

/dogs/1234

34
REST
Requests for resources
•

GET /owners/5678/dogs

•

POST /owners/5678/dogs

•

GET /dogs?color=red&state=running&loca...
REST
Requests for non-resources
•

Use verbs for non-resources: compute, search, …

•

GET /convert?from=EUR&t=CNY&amount=...
REST
Handling errors
•

Use HTTP status codes. Those are enough for most usages:
•
•

304: Not modified

•

400: Bad Reques...
REST
Versioning
•

Make version mandatory.

•

Use ‘v’ prefix to avoid confusion

•

Use one number. API is not implementat...
REST
REST API Design State of the art
!

•

You want to become a REST ninja?

•

Read everything from:
•

https://apigee.c...
JSON

Overview
JSON
•

http://www.json.org/

•

JavaScript Object Notation

•

Lightweight standard for data-interchange format

•

Devel...
JSON
Types
Number

Array: ordered values

12

[ 1, "apple", true, { … } ]


2.45 324.0594


String
"hello"

Object: unorde...
JSON
Example
{	
"id": "4", 	
"favorite_teams": [	
{	
"id": "116174408393207", 	
"name": "Yankees"	
}	
], 	
"name": "Mark Z...
API
Practical Work
•

In Postman, create a "API Todo" HTTP request collection

•

Think about a REST API for todo list
•
•...
oAuth

Overview
oAuth ?
•

http://oauth.net/

•

An open authentication protocol to allow secure
authorization in a simple and standard me...
oAuth
Before
•

Applications stored passwords

•

Full access to user’s account

•

Revoke application permissions by chan...
oAuth
Principle
•

An external Guest A says to the reception desk that he wants to meet
Employee B for business purposes.
...
oAuth 1.0
oAuth 1.0

50
oAuth 1.0
•

Getting a request token and define callback URL

•

Direct the user to authorization flow (login dialog)

•

Ca...
oAuth 2.0
oAuth 2.0
•

Simplified signature

•

No encryption, replaced by HTTPS

•

Easier to handle.

•

Token Expiration

•

Scope...
oAuth 2.0
Apps
•

Web-server apps (grant_type=authorization_code)
•

•

Username/password access (grant_type=password)
•

...
oAuth 2.0
Example: Web-server Apps

55
oAuth 2.0
Example: Web-server Apps
•

Getting a request token and define callback URL

•

Direct the user to authorization ...
Social Networks

Overview
Social Media
Social Network
•

A platform to handle social interactions between actors
•

People, Community, and Companies

•

Sharing ...
Social Networks
•

Worldwide.


•

Facebook


•

Twitter IPO

60
Social Networks
Are they all the same?

61
Facebook
Facebook

Overview
Facebook
The Social Network
•

Founded in 2004


•

CEO: Mark Zuckerberg


•

1.19 billion monthly active users.


•

728 ...
Facebook?
•

Re-index the web around personal information.

•

Identity provider across the web and mobile apps

•

Replac...
Facebook
Features
•

Status updates

•

Phone

•

Photo / Video

•

App Center Promotions

•

Timeline

•

Ads

•

Message...
Facebook
Features
Graph Search

Post Status / Photo / Video / Place / …

Go to Settings

Go to
Timeline

Main Menu

Groups...
Facebook
Concerns
•

Privacy

•

Loss of control
•

•

Service and Content Provider

Competitors
•

Google

•

Twitter

•
...
Facebook
References
•

www.facebook.com

•

developers.facebook.com

69
Facebook Platform
Practical Work
•

Create your Facebook account

•

Activate your developer account
•

Try to create an a...
Facebook

Platform
Facebook Platform
•

A social operating system
•
•

Access data in Facebook

•

•

Develop and test applications on top of...
Facebook Platform
APIs
•

Graph API

•

Iframes

•

FQL

•

Log in with Facebook

•

Real-time Updates

•

Open Graph Prot...
Facebook Platform
Terms & Conditions
•

It’s free!

•

You cannot cache Facebook’s data as you want

•

You cannot re-crea...
Facebook Platform
API Limitations
•

Can’t invite friends

•

Can’t confirm, ignore, or delete friendship

•

Can’t post to...
Facebook Platform
Creating and Configuring an Application
Facebook Platform
Creating an application
Basic Settings

Your Application Identifier a.k.a. API Key

Your Application Secr...
Facebook Platform
Configuring an application
Basic Settings

Verified when adding your app.

78
Facebook Platform
Configuring an application
Roles

Administrators: complete access


!

Developers: can modify settings bu...
Facebook Platform
Configuring an application
Advanced Settings

Monitor and track changes of your app settings.

Security s...
Facebook Platform
Configuring an application
Status & Review

When not live, the app is said to be in "Sandbox mode":

only...
Facebook Platform
Practical Work
•

Log on you Facebook account

•

Create your own application

•

Create a test user

•
...
Facebook

Authentication & Authorization
Facebook Authentication & Authorization
Login with Facebook

•

When you click this button, it give permissions to a FB ap...
Facebook Authentication & Authorization
Security Model
•

Based on oAuth 2.0
•

•

Access token and HTTPS

Permissions
•

...
Facebook Authentication & Authorization
Access Tokens
•

User Access Token
•
•

•

To read/write on behalf of a FB user
In...
Facebook Authentication & Authorization
User Access Token
•

Unique

•

Associated to a scope (permissions)
•

•

Define th...
Facebook Authentication & Authorization
Permissions
Facebook Authentication & Authorization
Permissions
User Permissions
•

user_about_me

•

user_friends

•

user_photos

•
...
Facebook Authentication & Authorization
Permissions
Friends Permissions
•

friends_about_me

•

friends_games_activity

•
...
Facebook Authentication & Authorization
Permissions
Extended Permissions
•

ads_management

•

photo_upload

•

read_strea...
Facebook Authentication & Authorization
Sending Requests
Facebook Authentication & Authorization
Sending Requests
Example

Using HTTPS (TLS) protects the request
information.

GET...
Facebook Authentication & Authorization
Sending Requests from Server with Enhanced Security
App Secret Proof
•

Hackers ca...
Facebook Authentication & Authorization
Sending Requests from Server with Enhanced Security
Computing App Secret Proof
•

...
Facebook Authentication & Authorization
Sending Requests from Server with Enhanced Security
Example

https://graph.faceboo...
Facebook Authentication & Authorization
Client-side User Authentication
Facebook Authentication & Authorization
Step 1 - Login Dialog (Browser)
GET (In Browser) https://www.facebook.com/dialog/o...
Facebook Authentication & Authorization
Step 2 - Convert short-lived to long-lived access token (optional)
GET https://gra...
Facebook Authentication & Authorization
Review User’s application Settings (1)

You can find more here…

100
Facebook Authentication & Authorization
Review User’s application Settings (2)

Use "Only me"
when in doubt

Permissions

...
Facebook Authentication & Authorization
Server-side User Authentication
Facebook Authentication & Authorization
Step 1 - Login Dialog (Browser)
GET (In Browser) https://www.facebook.com/dialog/o...
Facebook Authentication & Authorization
Step 2 - Exchange code for long-lived access token
GET https://graph.facebook.com/...
Facebook Authentication & Authorization
Server-side Application Authentication
Facebook Authentication & Authorization
Step 1 - Login Dialog (Browser)
GET (in Browser)	
https://graph.facebook.com/oauth...
Facebook Authentication & Authorization
Debugging Tokens
Facebook Authentication & Authorization
Debugging Tokens Tool

108
Facebook Authentication & Authorization
Debugging Tokens API
GET https://graph.facebook.com/debug_token?	
	
input_token=CA...
Facebook Authentication & Authorization
Graph API Explorer
Authenticate and Explore Facebook API easily
Facebook Authentication & Authorization
Graph API Explorer
Features
Facebook Authentication & Authorization
Graph API Explorer
Permissions
Facebook Authentication & Authorization
Open Graph Debugger
Facebook Authentication & Authorization
Access Token Tool
Facebook Authentication & Authorization
Practical Work
•

In Postman and your browser, build a "FB Auth"
collection of HTT...
Facebook

Graph API
Facebook
Graph API ?
•

Doc: https://developers.facebook.com/docs/graph-api/reference

•

Endpoint: https://graph.facebook...
Facebook
Graph API
Overview
•

Object-oriented
•
•

•

Every object has a unique identifier

Connections

All data returned...
Facebook
Graph API
Root Objects

Achievement

Event

Offer

Question

Album

FriendList

Order

QuestionOption

Applicatio...
Facebook Graph API
Reading
•

GET HTTP request

•

Different permissions applied to objects/fields/connections
•

•

Access...
Facebook
Graph API
Reading a public object
GET https://graph.facebook.com/markzuckerberg

{	
"id": "4", 	
"name": "Mark Zu...
Facebook
Graph API
Introspection
GET graph.facebook.com/markzuckerberg?metadata=1

{	
	
	
	
	
	
	
	
	
	
	
	
	
	
	

	
	

	
...
Facebook
Graph API
Selecting fields/connections
GET https://graph.facebook.com/me/friends?access_token=…	
&fields=name,birt...
Facebook
Graph API
Global Limit
GET https://graph.facebook.com/me/albums?access_token=…	
	 &limit=5

{	
"id": "702008335",...
Facebook
Graph API
Field Limit
GET https://graph.facebook.com/me?access_token=…	
	 &fields=albums.limit(5)

{	
"id": "7020...
Facebook
Graph API
Mixing fields and limits
GET https://graph.facebook.com/me?access_token=…	
	 &fields=albums.limit(5).fie...
Facebook
Graph API
Cursor-based Pagination
•

Cursor-based
•
•

•

Cursor marks an invariant point in a list of data
Prefe...
Facebook
Graph API
Cursor-based Pagination
GET https://graph.facebook.com/283864466145_10151727303376146/likes

{	
"data":...
Facebook
Graph API
Cursor-based Pagination
GET https://graph.facebook.com/283864466145_10151727303376146/likes?
	 limit=25...
Facebook
Graph API
Offset-based Pagination
•

Offset-based
•
•

Supported by all objects

•

Can be combined with other ty...
Facebook
Graph API
Offset-based Pagination
https://graph.facebook.com/me/friends?access_token=…	
	 &limit=10	
	 &offset=10...
Facebook
Graph API
Time-based Pagination
•

Time-based
•
•

•

Timestamps pointing to specific times in a list of data
Less...
Facebook
Graph API
Time-based Pagination
https://graph.facebook.com/me/home?access_token=…	 	
	 &limit=5

Usage of since a...
Facebook
Graph API
Multiple objects at once
https://graph.facebook.com/?access_token=…	
	 &ids=4,5,6	
	 &fields=username

...
Facebook
Graph API
Date & Locale
•

Dates
•
•

Add "date_format" request parameter to override

•

•

By default, ISO-8601...
Graph API
Publishing
•

POST HTTP request

•

Access token required with right permissions

•

Examples
•

Post a status o...
Graph API
Publishing
Basic Example
POST https://graph.facebook.com/me/feed?access_token=…	
	 &message=This is a default me...
Graph API
Publishing
Post a like
POST https://graph.facebook.com/702008335_10152142129743336/likes?	
	 access_token=…

Lik...
Graph API
Publishing
Privacy
•

Add "privacy" parameter to post requests
•
•

•

Application privacy setting sets the ceil...
Graph API
Publishing
Privacy Settings

140
Graph API
Publishing
Posting to friends
POST https://graph.facebook.com/me/feed?access_token=…	
	 &privacy={"value":"ALL_F...
Graph API
Publishing
Posting to Friends except a friend list
POST https://graph.facebook.com/me/feed?access_token=…	
	 &pr...
Graph API
Publishing
Photos
•

2 ways:
•

Upload photo to the app’s album or an existing one
•

•

Create the app’s album ...
Graph API
Example - Publishing Photos (upload)
POST https://graph.facebook.com/me/photos?access_token=…	
	 &privacy={"valu...
Graph API
Example - Publishing Photos (web)
POST https://graph.facebook.com/me/photos?access_token=…	
	 &privacy={"value":...
Graph API
Updating
•

POST HTTP request

•

Over simple: fields and value to update

•

Same permissions as publishing

146
Graph API
Updating
Basic Example
POST https://graph.facebook.com/702008335_10152143278443336?access_token=…	
	 &message=Th...
Graph API
Deleting
•

DELETE HTTP request

•

Access token required with permissions.

•

Alternative: POST with "method=d...
Graph API
Deleting
Basic Example
DELETE https://graph.facebook.com/702008335_10152143278443336?access_token=…	

!
or	

!
P...
Graph API
Deleting
Delete a like
DELETE	
https://graph.facebook.com/702008335_10152143302288336/likes?access_token=…

Reme...
Graph API
Searching
•

GET /search?q=…

•

Access token required
•
•

•

Pages & places: app access token
Others: user acc...
Graph API
Searching
Searchable Types
•

Post

•

Group

•

User

•

Checkin

•

Page

•

Place

•

Event

•

Location

!
!...
Graph API
Searching
Example
GET https://graph.facebook.com/search?access_token=…	
	 &q=fabrice delhoste	
	 &type=user

{	
...
Facebook Graph API
Batch
•

Group requests together

•

More efficient

•

Several Graph API calls in a single HTTP request...
Facebook Graph API
Batch
•

A set of HTTP requests/responses as JSON array
•

Can mix up to 50 requests with different acc...
Facebook Graph API
Batch
Basic Example
POST https://graph.facebook.com/?access_token=…	
Post to root /
batch=[	
{ "method"...
Facebook Graph API
Batch
Messy Example
POST https://graph.facebook.com/?access_token=…	
batch=[	
{ "method":"POST","relati...
Facebook Graph API
Batch
Advanced Example

By default, responses from request used as a
dependency (here ) are not returne...
Facebook Graph API
Errors

{	
"error": {	
"message": "Message describing the error", 	
"type": "OAuthException", 	
"code":...
Facebook Graph API
Old REST API
•

Before Graph API

•

Absolutely not REST

•

https://api.facebook.com/method/{methodnam...
Facebook Graph API
Practical Work
•

In Postman, create a new collection named "FB Graph API"
and build HTTP requests to:
...
Facebook Graph API
Practical Work
•

Get the photos of this album

•

Create a photo album with privacy SELF

•

Add a web...
Facebook Graph API
Practical Work
•

Get this post likes

•

Delete this like

•

Get your home newsfeed (homepage recent ...
Facebook Graph API
Practical Work
•

Create a secret event

•

Introspect this event

•

Invite other testers to this even...
Facebook Graph API
Practical Work
•

Upload a photo to this event with a short message

•

Get the event feed

•

Delete t...
Facebook

Facebook Query Language (FQL)
Facebook Query Language (FQL)
•

https://developers.facebook.com/docs/reference/fql

•

Limited SQL subset
•

•

One table...
Facebook Query Language (FQL)
Tables
album
app_role
application
apprequest
checkin
column
comment
comments_info
connection...
Facebook Query Language (FQL)
Query Syntax
select_expr can be a field or
a function of a field.

Cannot use * (star)

Only 1...
Facebook Query Language (FQL)
Sending FQL Query
https://graph.facebook.com/fql?access_token=…	
	 &q=SELECT name FROM user ...
Facebook Query Language (FQL)
Subqueries
My friends and me with
our square picture

SELECT name, pic_square FROM user WHER...
Facebook Query Language (FQL)
Pagination

SELECT name	
FROM user	
WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me())	
...
Facebook Query Language (FQL)
Pagination

SELECT name	
FROM user	
WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me())	
...
Facebook Query Language (FQL)
Sending multiple queries at once
GET https://graph.facebook.com/fql?q={	
"query1": "SELECT u...
Facebook Query Language (FQL)
Data Types
•

string

•

unsigned int32

•

bool

•

struct

•

array<…>

•

object<…,…>

•
...
Facebook Query Language (FQL)
Indexable Columns
•

Every table has one or more index-able columns

•

IMPORTANT: FQL query...
Facebook Query Language (FQL)
Functions
•

me(): guess who?

•

now(): guess when?

•

rand(): random number

•

concat(…,...
Facebook Query Language (FQL)
Functions
•

substr(string, start, length): substring

•

strpos(haystack, string): search s...
Facebook Query Language (FQL)
Functions
SELECT concat(substr(first_name,0, 1), substr(last_name, 0, 1))	
FROM user WHERE u...
Facebook Graph API
Practical Work
•

In Postman, create a collection named "FB FQL" and build HTTP requests to:
•

Get my ...
Facebook Graph API
Practical Work
•

Get your unread notifications (simulate them)

•

Get pages and their number of fans I...
Facebook

Developer Tools
Test Users
Facility to create fake users for testing purposes
Facebook Developer Tools
Test Users?
•

https://developers.facebook.com/docs/test_users/

•

Used for development and debu...
Facebook Developer Tools
Test Users
Creating and Deleting Test Users (GUI)

Testers = Real Users

Test Users = Fake Users
Facebook Developer Tools
Test Users
Getting Test Users
GET https://graph.facebook.com/760835680597440/accounts/test-users?...
Facebook Developer Tools
Test Users
Creating a test user (API)
GET https://graph.facebook.com/760835680597440/accounts/tes...
Facebook Developer Tools
Test Users
Deleting a test user
https://graph.facebook.com/100007176673155?	
	 access_token=…

	
...
Facebook Developer Tools
Test Users
Update Test Users username and password
GET https://graph.facebook.com/100007176673155...
Facebook Developer Tools
Test Users
Making Friends
POST (friend request)	
https://graph.facebook.com/100007176673155/frien...
Facebook Developer Tools
Test Users
Adding test users to other apps
GET https://graph.facebook.com/APP_ID/accounts/test-us...
Facebook Developer Tools
Test Users
Practical Work
•

In Postman, create a "FB Test Users" collection where
you build HTTP...
Facebook
Support & Maintenance
Roadmap
•

developers.facebook.com/roadmap/

Review frequently.

194
Breaking Changes and Migration Policy
•

90-day breaking change policy.

•

Breaking change automatically enabled for new ...
Platform Status
•

developers.facebook.com/live_status/
JSON

Events

History
196
Bugs
•

developers.facebook.com/bugs/

Subscribe to bugs

(email alert)

Communicate with
Facebook

Problem
description

1...
Beta Tier
•

developers.facebook.com/docs/support/beta-tier/

•

Desktop: www.beta.facebook.com

•

Mobile Web: m.beta.fac...
Stay tuned

developers.facebook.com/blog

@FacebookDevRel

@fb_engineering
199
Facebook

Chat API
Facebook Chat API
•

https://developers.facebook.com/docs/chat/

•

XMPP
•
•

•

eXtensible Messaging and Presence Protoco...
Facebook

Open Graph
Open Graph
Object and Action Model
•

Facebook internal graph have limited interactions
•

•

Open Graph turns any web pag...
Facebook

Real-time Updates
Facebook Realtime Updates
•

Push model
•

•

Subscribe to data changes
•

•

vs Polling model

Facebook calls your server...
Facebook Realtime Updates
Publicly Supported Objects
•

User
•

Limited to: feed, friends, activities, interests, music, b...
Facebook Realtime Updates
Dashboard
•

With recent new dashboard, FB removed the panel !!!
•

Workaround: https://develope...
Facebook Realtime Updates
Dashboard

208
Facebook Realtime Updates
How to proceed
•

3 steps
•

Register your server (dashboard or API)

•

Respond correctly to a ...
Facebook Realtime Updates
API
•

https://graph.facebook.com/{appId}/subscriptions

•

Listing subscriptions : GET

•

Addi...
Facebook Realtime Updates
Your Callback Server
•

Two endpoints needed:
•
•

•

Subscription Verification
Receiving Updates...
Facebook Realtime Updates
Your Callback Server
Subscription Verification
•

Query parameters
•
•

hub.challenge: random

•
...
Facebook Realtime Updates
Your Callback Server
Subscription Verification
http://mycallbackserver.com/?hub.mode=subscribe	
	...
Facebook Realtime Updates
Your Callback Server
Receiving Updates
•

JSON

•

No content, only notification about content
•
...
Facebook Realtime Updates
Your Callback Server
Receiving Updates
POST http://mycallbackserver.com/	

!
{	
	
	
	
	
	
	
	
	
...
Facebook Realtime Udates
Practical Work
•

If this is possible for your network (NAT, tunnel, reverse proxy…),
implement a...
Twitter
Twitter

Overview
Twitter
•

Founded in 2006


•

Jack Dorsey, Evan Williams, Biz
Stone, and Noah Glass


•

232 million monthly active user...
Twitter?
•

Social network and microblogging

•

Real-time information network

•

Ad network

•

Search engine

•

Identi...
Twitter
Features
•

Tweet (140 chars message)

•

Mention

•

Timeline

•

Lists

•

Follow

•

Direct Message

•

Favorit...
Twitter
Features
Interactions

Following

&

Followers

Personalized Content

Profile

Direct Message

Go to Settings

Post...
Twitter
Tweet?
Twitter
account

Text
Hyperlink
Mention

Hashtag
Tweet to reply

Copy/paste to
your followers

Mark as
favo...
Twitter
Concerns
•

Sustainability

•

Competitors
•

Facebook

•

Google

•

Whatsapp?

•

…

224
Twitter
References
•

www.twitter.com

•

dev.twitter.com

225
Twitter

Platform
Twitter
Platform?
•

A real-time messaging infrastructure
•
•

•

Develop applications on top of Twitter APIs
Access data ...
Twitter Platform
APIs
•

Current release: 1.1

•

REST API
•

•

Poll-based system - pseudo real-time

Streaming API
•

Lo...
Twitter Platform
Objects

Metadata and contextual
information

(extracted hashtags, urls,
media, mentions, …)
229
Twitter Platform
Objects
Tweets
•
{	

https://dev.twitter.com/docs/platform-objects/tweets

Beware of the accuracy on id (...
Twitter Platform
Objects
Users
•

https://dev.twitter.com/docs/platform-objects/users

"user": {	
"id": 13348,	
"id_str": ...
Twitter Platform
Objects
Entities
•

https://dev.twitter.com/docs/platform-objects/entities
"entities": { "hashtags": [], ...
Twitter Platform
Objects
Places
•

https://dev.twitter.com/docs/platform-objects/places

"place":	
{	
"attributes":{},	
"b...
Twitter Platform
Terms & Conditions
•

It’s free!

•

Twitter has the right to blacklist your application

•

Twitter has ...
Facebook Platform
API Limitations
•

API is very open…but also rate-limited.

•

See https://dev.twitter.com/docs/rate-lim...
Twitter Platform
Creating and Configuring an Application
Twitter Platform
Creating and configuring an application

Used during oath callback for access token
237
Twitter Platform
Creating and configuring an application

Consumer Key and Consumer Secret.

Never reveal Consumer Secret !...
Twitter Platform
Creating and configuring an application
Permissions

239
Facebook Graph API
Practical Work
•

Create a Twitter account

•

Create your own Twitter application
•

Full access

•

D...
Twitter

Authentication & Authorization
Twitter Authentication & Authorization
•

oAuth 1.0 - access token used in request signatures

•

Application-user authent...
Twitter Authentication & Authorization
Application-user Authentication
Twitter Authentication & Authorization
Application-user Authentication
How to sign
•

How to sign user-level requests?
•

...
Twitter Authentication & Authorization
Application-user Authentication
Payload to sign

POST&https%3A%2F%2Fapi.twitter.com...
Twitter Authentication & Authorization
Application-user Authentication
Signature example

POST /1/statuses/update.json?inc...
Twitter Authentication & Authorization
Application-user Authentication
Authorization Header Details
•

Authorization HTTP ...
Twitter Authentication & Authorization
Application-user Authentication
Obtaining access token
•

To obtain a user access t...
Twitter Authentication & Authorization
Application-user Authentication
Step 1 - Get a request token
POST https://api.twitt...
Twitter Authentication & Authorization
Application-user Authentication
Step 2 - User interaction
In browser (GET):	
https:...
Twitter Authentication & Authorization
Application-user Authentication
Step 3 - Exchange request token for an access token...
Twitter Authentication & Authorization
Application-only Authentication
Twitter Authentication & Authorization
Application-user Authentication
How to sign
•

How to sign application-level reques...
Twitter Authentication & Authorization
Application-only Authentication
Obtaining access token
•

To obtain a application-o...
Twitter API - Authentication & Authorization
Application-only Authentication
Obtaining an Application Access Token
POST ht...
Twitter API - Authentication & Authorization
Application-only Authentication
Revoking an Application Access Token
POST htt...
Twitter API Console by APIGee
Explore Twitter API easily
Twitter
API Console
•

https://dev.twitter.com/console (provided by Apigee)

258
Twitter Authentication & Authorization
Practical Work
•

In Postman and your browser, build a "Twitter Auth"
collection of...
Twitter

REST API
Twitter REST API ?
•

https://api.twitter.com/

•

Current release: 1.1

•

Get data in and out of Twitter.
•

•

Read, Pu...
Twitter
REST API
•

Resources-oriented
•
•

•

Every object has a unique identifier
All data returned as JSON (or XML)

Res...
Twitter
REST API
Resources

Timelines
Tweets
Search
Streaming
Direct
Messages

Friends &
Followers

Saved
Searches

Users
...
Twitter
REST API
Reading
•

GET

•

Permissions applied (access token)

•

Response: JSON

•

Timelines
•
•

User timeline...
Twitter
REST API
Home Timeline
https://api.twitter.com/1.1/statuses/home_timeline.json

[	
{	
"created_at": "Sun Dec 15 10...
Twitter
REST API
Pagination
•

count: maximum number of tweets to get (up to count)

•

max_id and since_id parameters
•

...
Twitter
REST API
Pagination with max_id
•

max_id : tweets lower than or equal to this id
Problem: page consistency

Typic...
Twitter
REST API
Pagination with since_id
•

since_id : tweets greater than this id
Best: combine since_id and max_id

Ima...
Twitter
REST API
Example
https://api.twitter.com/1.1/statuses/home_timeline.json?	
	 &count=5
Get 5 latest tweets
Last twe...
Twitter
REST API
Example
https://api.twitter.com/1.1/statuses/home_timeline.json?	
	 &max_id=412196025378820095	
	 &count=...
Twitter
REST API
Publishing
•

POST with specific URL path

•

Access token required with permissions.

271
Twitter
REST API
Tweet !
POST https://api.twitter.com/1.1/statuses/update.json	
Content-Type: application/x-www-form-urlen...
Twitter
REST API
Deleting
•

POST with specific URL path
•
•

•

Not DELETE
Not a query parameter

Access token required wi...
Twitter
REST API
Delete a tweet
POST https://api.twitter.com/1.1/statuses/destroy/
412342464415301632.json

{	
"geo": null...
Twitter
REST API
Searching
•

Search for tweets
•

•

Fine-grained search based on location, language, …

Search for users...
Twitter REST API
Searching tweets
GET https://api.twitter.com/1.1/search/tweets.json?q=iphone

{	
"statuses": [	
{	
"metad...
Twitter REST API
Searching users
https://api.twitter.com/1.1/users/search.json?q=lady&count=2

[	
{	

Pagination with coun...
Twitter REST API
Practical Work
•

Create a "Twitter API" collection where you create HTTP
requests to:
•

Get your Twitte...
Twitter REST API
Practical Work
•

Favorite a tweet

•

Search tweets on behalf of an application

•

Search tweets on beh...
Twitter

Streaming API
Twitter
Streaming API
•

https://dev.twitter.com/docs/streaming-apis

•

Receives realtime push data

•

Long-lived HTTP r...
Twitter
Streaming API
Streams
•

Public Streams
•

•

User Streams
•

•

Monitoring and collecting public data.

Single us...
Twitter
Streaming API
Public Streams
•

Subscribing to public data
•
•

Track keywords

•

•

Track public accounts

Track...
Twitter
Streaming API
User Streams
•

Subscribing to realtime updates on behalf of a single
authenticated user
•

User him...
Twitter
Streaming API
Site Streams
•

Subscribing to realtime updates for a large number of
users

•

Restricted (whitelis...
Twitter
Streaming API
Practical Work
•

Use Netbeans to create a simple Maven Java console application project

•

Use Twi...
Twitter

Developer Tools
Twitter
Support & Maintenance
Facebook & Twitter API
Facebook & Twitter API
Facebook & Twitter API
Facebook & Twitter API
Facebook & Twitter API
Facebook & Twitter API
Upcoming SlideShare
Loading in...5
×

Facebook & Twitter API

16,674

Published on

This is my initial release of a slide deck used to support a quick training to students on Facebook and Twitter API. A lot of stuff would need to be fixed (my english first as a non-native writer :-). It also does not (yet?) cover all APIs.

This support is better with associated resources such as the underlying Postman request collections.

Please feel free to give feedback if any.

Published in: Technology
2 Comments
29 Likes
Statistics
Notes
No Downloads
Views
Total Views
16,674
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
442
Comments
2
Likes
29
Embeds 0
No embeds

No notes for slide

Transcript of "Facebook & Twitter API"

  1. 1. Application Programming Interface Facebook http://www.slideshare.net/fabricedelhoste Twitter fabrice@delhoste.com Facebook: http://www.facebook.com/fabricedelhoste Twitter: @spifd Déc. 2013
  2. 2. Content • API • Social Networks • Facebook • Twitter 2
  3. 3. Warning These slides are for training or educational purposes. They do not replace reference documentation. ! This is my first version, december 2013. If you read this in 2013+, check for deprecation. Feel free to give me your feedback. ! Pictures and clip arts are free for use. Credits coming on next release. 3
  4. 4. API Application Programming Interface
  5. 5. API? • Application Programming Interface • Software-to-software contract • Defines the interactions between components 5
  6. 6. API A good API can provide… • Flexibility • Security • Ease of use • Simplicity Modern software are made of APIs • Scalability • Portability Otherwise, it would serve a limited purpose 6
  7. 7. API Design Patterns • Separating interface from implementation ! • Façade design pattern • A simplified interface to a larger body of code • Make software easier and convenient to use • Reduce dependencies • Wrap a poorly designed APIs with a single well-designed API 7
  8. 8. API Platform • Developers can be: • • • customers channels to customers Offering them friendly helpful API is business-oriented • cost-reduction • time-to-market • know-how and expertise 8
  9. 9. API Cloud Computing • Infrastructure-as-a-Service (IaaS) - infra level • • Platform-as-a-Service (PaaS) - service level • • API provides messaging system, databases, execution environment Software-as-a-Service (SaaS) - application level • • API provides control, distribution, network, and workload. API mediates between apps and underlying IT infrastructure Backend-as-a-Service (BaaS) - application dev level • API provides unified way to connect apps to cloud services 9
  10. 10. API General Recommendations • Try test-driven design • Think about what client really needs, not what your server can offer ! • Choose vocabulary wisely • Use standard when possible • Copy & enhance popular existing APIs • Be self-descriptive, developer-friendly • Try defining highest level of API 10
  11. 11. API Practical Work • Real world use case analysis • What would you have done? 11
  12. 12. HTTP Quick Overview
  13. 13. HTTP • Application protocol for distributed hypermedia systems. • Request / response • Stateless • Media independent • Foundation of the WWW • Current version: 1.1 13
  14. 14. HTTP Request Format • Request line • Request headers • Empty line. • Optional message body. POST /1.1/lists/create.json?name=My%20new%20list&mode=private HTTP/1.1 X-HostCommonName: api.twitter.com Authorization: OAuth oauth_consumer_key= … Host: api.twitter.com Content-Length: 0 X-Target-URI: https://api.twitter.com Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Connection: Keep-Alive ! ! ! ! 14
  15. 15. HTTP Response Format • Status line • Response headers • Empty line • Optional message body HTTP/1.1 200 OK content-type: application/json; charset=utf-8 last-modified: Sun, 08 Dec 2013 20:41:48 GMT status: 200 OK date: Sun, 08 Dec 2013 20:41:48 GMT Connection: close content-length: 1879 ! { "id_str": "101144843", "full_name": "@spifd/lists/my-new-list", "user": { "id_str": "18229030", … 15
  16. 16. HTTP URL - Unified Resource Locator Not sent to server. Only browser. HTTP: clear HTTPS: encrypted URL (or Percent) encoding
 
 ! # $ & ‘ ( ) * + , / : ; = ? @ [ ]
 converted to
 %21 %23 %24 … 16
  17. 17. HTTP Verbs (methods) • GET: retrieve a resource Others • • • HEAD: GET without body • • safe: it must not modify resources idempotent: 1 call, same as multiple calls • TRACE: echo request back to the sender • OPTIONS: supported HTTP verbs • CONNECT: connects to proxy • PATCH: partial update PUT: create/update a resource • • idempotent POST: add a subordinate resource ! • not safe, not idempotent Safe/idempotent: • • DELETE: delete a resource • • Only semantic, no constraint in protocol idempotent 17
  18. 18. HTTP Headers • General header: for both request and response messages. • • Request header: only for request messages. • • Ex: Authorization, Accept, Cookie, Host, User-Agent Response header: only for response messages. • • Ex: Cache-Control, Connection Ex: Server, Set-Cookie Entity header: metadata about the entity body • Ex: Content-Encoding, Content-Length, Content-Type, Last-Modified 18
  19. 19. HTTP Request Parameters • For GET, part of the URL query string as field / value pairs • • field1=value1&field2=value2&field3=value3… For POST, request parameters are sent using: • Using "Content-type: application/x-www-form-urlencoded" (header) • • The content body contains "field1=value1&field2=value2&field3=value3…" Using "Content-type: "multipart/form-data" (header) for binary data • Special format using several parts separated with a particular string boundary (content-disposition header), each part having its own contenttype header. 19
  20. 20. HTTP Status Codes • 1xx: Informational • 2xx: Successful 4xx: Client Error • 400: Bad Request • 401: Unauthorized 3xx: Redirection • 403: Forbidden 302: Found • 404: Not Found 304: Not modified (f-Modified-Since header) • 405: Method Not Allowed • • • • • ! ! ! 201: Created (PUT & POST) • 5xx: Server Error • 500: Internal Server Error • 503: Service Unavailable 20
  21. 21. HTTP Security • Authorization Header • Allows different kind of authentication : basic, digest, oauth • Authorization: {Type} {Data} • Ex: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== • • RFC2045-MIME variant of Base64 encoding of “login:password” Encryption with HTTPS = HTTP over SSL/TLS • Assymetric key derived into a short-term session key • Used to encrypt the whole HTTP data flow 21
  22. 22. HTTP Disclaimer HTTP Requests are NOT purely written to ease readability. ! In particular: - they do NOT strictly respect HTTP format - they do NOT follow correctly URL-encoding when needed - they do NOT contain all HTTP headers and body ! We are humans, not machines. 22
  23. 23. Postman Chrome App - Handy HTTP Client
  24. 24. Postman 24
  25. 25. API Practical Work • Download and install Google Chrome • Download and install Postman (Packaged app) • • • http://www.getpostman.com/ If you want to inspect requests in Google Chrome network console, browse chrome://flags and "Enable debugging for packed apps" Take time to play and be familiar with Postman features • We’ll use it all along the training. • See how to create collections, to save them, … • I’ll collect your backup. 25
  26. 26. REST Designing Lightweight APIs
  27. 27. REST • REpresentational State Transfer • Defined by HTTP 1.0 & 1.1 author (Roy Fielding) • Architectural style • REST = Transfer of representations of resources ! • A simple way to handle interactions between systems 27
  28. 28. REST Main Principles • Identify everything with an identifier • Link things together • Use standards • Resources with multiple representations • Stateless 28
  29. 29. REST Characteristics • Lightweight • Scalable • Simple • Flexible • Readable • Reliable • Efficient • Portable ! ! 29
  30. 30. REST HTTP-based • Easy SOA (Service-Oriented Architecture) • • SOAP is another way… often cumbersome Pragmatic approach, mostly based on HTTP protocol • Well known, widely deployed, and avoid new layers • Use HTTP verbs • Use URI as a global identifier for resources 30
  31. 31. REST RESTful Constraints • Client-server: separation of concerns, separate interface from implementation • Stateless server: requests contains all necessary information • Cache: responses can be cached or not • Uniform interface: • Identification of resources: each resource is uniquely identified • Manipulation of resources through representations: each resource has one or more representations • Self-descriptive message: message is not only data but everything necessary for the message to be processed • Hypermedia as the engine for application state (HATEOAS): the server must give the client the needed information to navigate the service • Layered system: client has no idea about the end server or intermediates processing the requests • Code-on-demand (optional): client are extendable by downloading code 31
  32. 32. REST CRUD • POST = CREATE • GET = READ • PUT = UPDATE • DELETE = DELETE • Alternative: POST /dogs?method=delete • Filtering proxies, … 32
  33. 33. REST Resources • Use nouns, no verb • Plural: /dogs • Concrete: /dogs instead of /animals • Use Javascript naming convention 33
  34. 34. REST Collections • 2 base URLs per resource • Collection • • /dogs Element • /dogs/1234 34
  35. 35. REST Requests for resources • GET /owners/5678/dogs • POST /owners/5678/dogs • GET /dogs?color=red&state=running&location=park • GET /dogs?fields=name,color,location.city • GET /dogs.xml?limit=25&offset=50 • GET /owners/5678/dogs?q=Bobby (search) 35
  36. 36. REST Requests for non-resources • Use verbs for non-resources: compute, search, … • GET /convert?from=EUR&t=CNY&amount=100 • GET /search?q=toto (global search) • GET /owners/5678/dogs/search?q=toto • GET /dogs/count 36
  37. 37. REST Handling errors • Use HTTP status codes. Those are enough for most usages: • • 304: Not modified • 400: Bad Request, 401: Unauthorized, 403: Forbidden, 404: Not Found • • 200: OK, 201: Created 500: Internal Server Error Be verbose and self-descriptive in response body. Example: {"developerMessage" : "Verbose, plain language description of the problem for the app developer with hints about how to fix it.", "userMessage":"Pass this message on to the app user if needed.", "errorCode" : 12345, "more info": "http:// dev.teachdogrest.com/errors/12345"} 37
  38. 38. REST Versioning • Make version mandatory. • Use ‘v’ prefix to avoid confusion • Use one number. API is not implementation. • Ex: /v1/dogs • Recommendations: • Ascending compatibility with 1 version • Communicate very soon on (breaking) changes. 38
  39. 39. REST REST API Design State of the art ! • You want to become a REST ninja? • Read everything from: • https://apigee.com/about/api-best-practices 39
  40. 40. JSON Overview
  41. 41. JSON • http://www.json.org/ • JavaScript Object Notation • Lightweight standard for data-interchange format • Developer-friendly • • • Easy for humans to read/write Efficient to parse/generate Open, not only Javascript 41
  42. 42. JSON Types Number Array: ordered values 12 [ 1, "apple", true, { … } ] 2.45 324.0594 String "hello" Object: unordered key/value pairs. ’hello’ { "title": "Games of Thrones", "season": 1 } Boolean true false Empty value null 42
  43. 43. JSON Example { "id": "4", "favorite_teams": [ { "id": "116174408393207", "name": "Yankees" } ], "name": "Mark Zuckerberg", "hometown": { "id": "105506396148790", "name": "Dobbs Ferry, New York" } } 43
  44. 44. API Practical Work • In Postman, create a "API Todo" HTTP request collection • Think about a REST API for todo list • • Create/read/update/delete a todo • • Create/read/update/delete a todo list Read part of the data of a todo Imagine being a client and write all HTTP requests • No server development, just URL and payload in Postman 44
  45. 45. oAuth Overview
  46. 46. oAuth ? • http://oauth.net/ • An open authentication protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. • • • Get away from login and passwords to grant authorizations to 3rd parties Publish and interact safely with users data oAuth now widely used • Facebook, Google, Twitter, … 46
  47. 47. oAuth Before • Applications stored passwords • Full access to user’s account • Revoke application permissions by changing password • Bad guys could get the user’s password • Many proprietary solutions 47
  48. 48. oAuth Principle • An external Guest A says to the reception desk that he wants to meet Employee B for business purposes. • The reception desk notifies Employee B that Guest A has come to visit him. • Employee B comes to the reception desk and identifies Guest A. • Employee B records the business purpose and identity of Guest A at the reception desk. • The reception desk issues a visitor card to Guest A. • Employee B and Guest A go to the specified room to discuss their business. 48
  49. 49. oAuth 1.0
  50. 50. oAuth 1.0 50
  51. 51. oAuth 1.0 • Getting a request token and define callback URL • Direct the user to authorization flow (login dialog) • Callback to your URL with request token • Exchange request token for an access token • Send requests signed with access token 51
  52. 52. oAuth 2.0
  53. 53. oAuth 2.0 • Simplified signature • No encryption, replaced by HTTPS • Easier to handle. • Token Expiration • Scope: limit access to 3rd party • Left to oAuth providers, proprietary values 53
  54. 54. oAuth 2.0 Apps • Web-server apps (grant_type=authorization_code) • • Username/password access (grant_type=password) • • Get an access token from login/password. No server-side code needed. Only for trusted clients. Application access (grant_type=client_credentials) • • Server exchanges a code for an access token. Get an accès token from client secret. Browser and Mobile apps (grant_type=implicit) • Browser or mobile app receives directly an access token. No server-side code needed. 54
  55. 55. oAuth 2.0 Example: Web-server Apps 55
  56. 56. oAuth 2.0 Example: Web-server Apps • Getting a request token and define callback URL • Direct the user to authorization flow (login dialog) • Callback to your server with code • Exchange code for an access token • Send (not sign) requests with access token as HTTP query parameter or Authorization header • Renew access token when expired (grant_type=refresh_token) 56
  57. 57. Social Networks Overview
  58. 58. Social Media
  59. 59. Social Network • A platform to handle social interactions between actors • People, Community, and Companies • Sharing Interests and Activities • Communications 59
  60. 60. Social Networks • Worldwide. • Facebook • Twitter IPO 60
  61. 61. Social Networks Are they all the same? 61
  62. 62. Facebook
  63. 63. Facebook Overview
  64. 64. Facebook The Social Network • Founded in 2004 • CEO: Mark Zuckerberg • 1.19 billion monthly active users. • 728 million daily active users. • 874 million mobile users. 64
  65. 65. Facebook? • Re-index the web around personal information. • Identity provider across the web and mobile apps • Replace communications channels • Behavioural ad network • Personalized search engine • Customized and socialized experiences everywhere 65
  66. 66. Facebook Features • Status updates • Phone • Photo / Video • App Center Promotions • Timeline • Ads • Messages • Payment • Chat • Pages • SMS • Groups • Checkin • … 66
  67. 67. Facebook Features Graph Search Post Status / Photo / Video / Place / … Go to Settings Go to Timeline Main Menu Groups, Apps, Friend lists, Pages Ticker Ads & Suggestions Chat Newsfeed 67
  68. 68. Facebook Concerns • Privacy • Loss of control • • Service and Content Provider Competitors • Google • Twitter • Yahoo • Whatsapp, WeChat, Snapchat, Pinterest, … 68
  69. 69. Facebook References • www.facebook.com • developers.facebook.com 69
  70. 70. Facebook Platform Practical Work • Create your Facebook account • Activate your developer account • Try to create an application • Prepare your phone to receive SMS confirmation if your Facebook account is not yet a "verified" account. • https://developers.facebook.com 70
  71. 71. Facebook Platform
  72. 72. Facebook Platform • A social operating system • • Access data in Facebook • • Develop and test applications on top of Facebook APIs Monitor application usage For: • Applications on Facebook • External websites • Device and Mobile apps 72
  73. 73. Facebook Platform APIs • Graph API • Iframes • FQL • Log in with Facebook • Real-time Updates • Open Graph Protocol • Authentication • Social Plugins 73
  74. 74. Facebook Platform Terms & Conditions • It’s free! • You cannot cache Facebook’s data as you want • You cannot re-create social graph • You cannot use Facebook’s data for ads • Facebook has the right to blacklist your application • …it’s free! 74
  75. 75. Facebook Platform API Limitations • Can’t invite friends • Can’t confirm, ignore, or delete friendship • Can’t post to another user’s timeline • Can’t get friends’ phones or e-mails • Can’t send private message to people • Can’t be notified on all kind of events • Can’t read the full graph : no friends of friends • Can’t get social graph ranking (interactions) • Can’t search through Graph Search API • … • API Rate Limits: https://developers.facebook.com/docs/reference/ads-api/api-rate-limiting/#userlimit 75
  76. 76. Facebook Platform Creating and Configuring an Application
  77. 77. Facebook Platform Creating an application Basic Settings Your Application Identifier a.k.a. API Key Your Application Secret a.k.a. Client Secret ! Very important: needed for authentication 77
  78. 78. Facebook Platform Configuring an application Basic Settings Verified when adding your app. 78
  79. 79. Facebook Platform Configuring an application Roles Administrators: complete access ! Developers: can modify settings but cannot reset secret key, manage users, or delete app ! Testers: can test the application in sandbox mode but cannot modify the application ! Insight Users: can access analytics but cannot modify the application 79
  80. 80. Facebook Platform Configuring an application Advanced Settings Monitor and track changes of your app settings. Security settings are very important to avoid hackers to spoof your FB app. 80
  81. 81. Facebook Platform Configuring an application Status & Review When not live, the app is said to be in "Sandbox mode": only administrators, developers, and testers can install and use your app. 81
  82. 82. Facebook Platform Practical Work • Log on you Facebook account • Create your own application • Create a test user • Log with the test user and back to your account • Create and use Chrome profiles to switch between accounts 82
  83. 83. Facebook Authentication & Authorization
  84. 84. Facebook Authentication & Authorization Login with Facebook • When you click this button, it give permissions to a FB application: • • If not, prompt them to do so through a Login dialog • Secure codes are exchanged to confirm identity • • It first checks whether someone is already logged in If confirmed, an access token is retrieved The app’s developer will then use the access token to interact with Facebook on behalf of the user. 84
  85. 85. Facebook Authentication & Authorization Security Model • Based on oAuth 2.0 • • Access token and HTTPS Permissions • Protect every piece of Facebook data • Under user’s review and control during application approval 85
  86. 86. Facebook Authentication & Authorization Access Tokens • User Access Token • • • To read/write on behalf of a FB user Interactive login dialog App Access Token • • • To read/write on behalf of a FB application Server-to-server call Page Access Token • • • To read/write on behalf of a FB page Obtained through Graph API with a valid user access token Client Token • Native mobile or desktop apps to access limited data on behalf of a FB application. • Rarely used. 86
  87. 87. Facebook Authentication & Authorization User Access Token • Unique • Associated to a scope (permissions) • • Define the usage bounds Short-lived ~1 hour, or Long-lived ~60 days • • Short-lived mainly used for web applications • • Long-lived obtained from short-lived Long-lived mainly used for native mobile apps and server-side Automatic with SDK for Javascript, iOS, and Android. 87
  88. 88. Facebook Authentication & Authorization Permissions
  89. 89. Facebook Authentication & Authorization Permissions User Permissions • user_about_me • user_friends • user_photos • user_actions.books • user_games_activity • user_questions • user_actions.music • user_groups • user_relationship_details • user_actions.news • user_hometown • user_relationships • user_actions.video • user_interests • user_religion_politics • user_activities • user_likes • user_status • user_birthday • user_location • user_subscriptions • user_checkins • user_notes • user_videos • user_education_history • user_online_presence • user_website • user_events • user_photo_video_tags • user_work_history 89
  90. 90. Facebook Authentication & Authorization Permissions Friends Permissions • friends_about_me • friends_games_activity • friends_questions • friends_actions.books • friends_groups • • friends_actions.music • friends_hometown friends_relationship_detail s • friends_relationships • friends_religion_politics • friends_status • friends_subscriptions • friends_videos • friends_website • • • • • friends_actions.news friends_actions.video friends_activities friends_birthday friends_checkins • • • • • friends_interests friends_likes friends_location friends_notes friends_online_presence • friends_education_history • friends_photo_video_tags • friends_events • friends_photos 90
  91. 91. Facebook Authentication & Authorization Permissions Extended Permissions • ads_management • photo_upload • read_stream • ads_read • publish_actions • rsvp_event • create_event • publish_checkins • share_item • create_note • publish_stream • sms • email • read_friendlists • status_update • export_stream • read_insights • video_upload • manage_friendlists • read_mailbox • xmpp_login • manage_notifications • read_page_mailboxes • manage_pages • read_requests 91
  92. 92. Facebook Authentication & Authorization Sending Requests
  93. 93. Facebook Authentication & Authorization Sending Requests Example Using HTTPS (TLS) protects the request information. GET https://graph.facebook.com/me?access_token=CAAKzZBdx5dcABAIA9Q… Access token is a secret value to include as a query parameter attached to the HTTP request 93
  94. 94. Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security App Secret Proof • Hackers can steal access token client-side or server-side • • • Client malware Server attacks Using App Secret Proof makes this harder server-side • Activate in application dashboard under advanced settings: ! • Access token integrity and authentication is now verified by Facebook. 94
  95. 95. Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security Computing App Secret Proof • Add query parameter to all of your server-side requests • appsecret_proof = HMAC-SHA256(key, message) • HMAC-SHA256 = Hash Message Authentication Code • key = {app_secret} • message = {access_token} 95
  96. 96. Facebook Authentication & Authorization Sending Requests from Server with Enhanced Security Example https://graph.facebook.com/me?access_token=CAAKzZBdx5dcABAIAjZBs9Q… &appsecret_proof=… Compute and add this query parameter to every request. 96
  97. 97. Facebook Authentication & Authorization Client-side User Authentication
  98. 98. Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (In Browser) https://www.facebook.com/dialog/oauth? client_id=760835680597440 &redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &response_type=token &scope=read_stream,user_friends,status_update Read Publish Application Id Set to the value defined in app dashboard Request for access token (client-side) This is a short-lived access token (~2 hours). URL fragment id # are NOT sent to server. Set to "Only me" in paranoïa mode http://fabrice.delhoste.com#access_token=CAAKzZBdx5dcABABBHv8vXR1… &expires_in=6258 98
  99. 99. Facebook Authentication & Authorization Step 2 - Convert short-lived to long-lived access token (optional) GET https://graph.facebook.com/oauth/access_token? client_secret=9e4461c0364f179e6c9f12adf16b7cc9 &client_id=760835680597440 &grant_type=fb_exchange_token &fb_exchange_token=CAAKzZBdx5dcABABBHv8vXR1… Application Secret This is short-lived access token obtained previously obtained. This is long-lived access token (~60 days). access_token=CAAKzZBdx5dcABAM8oQG1ivoyBZBC9… &expires=5181099 99
  100. 100. Facebook Authentication & Authorization Review User’s application Settings (1) You can find more here… 100
  101. 101. Facebook Authentication & Authorization Review User’s application Settings (2) Use "Only me" when in doubt Permissions Detect unusual activity or simply purge unused apps. 101
  102. 102. Facebook Authentication & Authorization Server-side User Authentication
  103. 103. Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (In Browser) https://www.facebook.com/dialog/oauth? client_id=760835680597440 &redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &response_type=code &scope=read_stream,user_friends,status_update Read Publish Application Id Set to the value defined in app dashboard Request for code (server-side) Can be used once and expires shortly. Set to "Only me" in paranoïa mode http://fabrice.delhoste.com/? code=AQCtOF4xjIObCApYPFsTwMy2AumKjEi2fw97az7UMBVrhSH-r59SLS… 103
  104. 104. Facebook Authentication & Authorization Step 2 - Exchange code for long-lived access token GET https://graph.facebook.com/oauth/access_token? Application client_id=760835680597440 Secret &redirect_uri=http%3A%2F%2Ffabrice.delhoste.com%2F &client_secret=9e4461c0364f179e6c9f12adf16b7cc9 &code=AQCtOF4xjIObCApYPFsTwMy2AumKjEi2fw97az7UMBVrhSH-r59SLS… client_secret is the Application Secret. Server-side only (security). Never, ever, put app-secret in client !code. Because we use "code" confirmation supposed to be used for server-side, this is longlived access token associated to the user, the application, and the requested permissions. (~60 days) access_token=CAAKzZBdx5dcABALYm0KZBcPSm2oVepJ8MZ… &expires=5181609 104
  105. 105. Facebook Authentication & Authorization Server-side Application Authentication
  106. 106. Facebook Authentication & Authorization Step 1 - Login Dialog (Browser) GET (in Browser) https://graph.facebook.com/oauth/access_token? client_id=760835680597440 &client_secret=7bdde89123d51317e6bd7e644d5202fd &grant_type=client_credentials Application Id Application Secret access_token=760835680597440|MeOsSs6rIfH0SolW53nJnG8Atzs 106
  107. 107. Facebook Authentication & Authorization Debugging Tokens
  108. 108. Facebook Authentication & Authorization Debugging Tokens Tool 108
  109. 109. Facebook Authentication & Authorization Debugging Tokens API GET https://graph.facebook.com/debug_token? input_token=CAAKzZBdx5d… &access_token=CAAKzZBdx5dcAB… The token to debug. { "data": { "error": { "message": "Error validating access token: Session does not match current…", "code": 190, "subcode": 460 }, "app_id": 760835680597440, "is_valid": false, "application": "Training API", "user_id": 702008335, "expires_at": 0, "scopes": [ "read_stream", "status_update", "user_friends", … ] } } 109
  110. 110. Facebook Authentication & Authorization Graph API Explorer Authenticate and Explore Facebook API easily
  111. 111. Facebook Authentication & Authorization Graph API Explorer Features
  112. 112. Facebook Authentication & Authorization Graph API Explorer Permissions
  113. 113. Facebook Authentication & Authorization Open Graph Debugger
  114. 114. Facebook Authentication & Authorization Access Token Tool
  115. 115. Facebook Authentication & Authorization Practical Work • In Postman and your browser, build a "FB Auth" collection of HTTP requests to: • Get long-lived client-side access token with permissions to get all birthdays • Get server-side access token with permissions to read the newsfeed, publish status and photos • Debug those tokens 115
  116. 116. Facebook Graph API
  117. 117. Facebook Graph API ? • Doc: https://developers.facebook.com/docs/graph-api/reference • Endpoint: https://graph.facebook.com/ • Get data in and out of Facebook’s social graph. • Read • Publish • Update • Delete • Search 117
  118. 118. Facebook Graph API Overview • Object-oriented • • • Every object has a unique identifier Connections All data returned as JSON objects Objects Objects : https://graph.facebook.com/{ID} • https://graph.facebook.com/25465437753 • • Object https://graph.facebook.com/fabricedelhoste Connections : https://graph.facebook.com/me/{connection} • https://graph.facebook.com/25465437753/friends • https://graph.facebook.com/me/friends 118
  119. 119. Facebook Graph API Root Objects Achievement Event Offer Question Album FriendList Order QuestionOption Application Group Page Review Checkin Insights Payment Comment Link Photo Status message Domain Errors Message Note Pictures Post Thread User Video 119
  120. 120. Facebook Graph API Reading • GET HTTP request • Different permissions applied to objects/fields/connections • • Access token required for most of personal data Response: { ! "fieldname": {field-value}, … ! } ! • Special object: /me : it’s me in the social graph ! 120
  121. 121. Facebook Graph API Reading a public object GET https://graph.facebook.com/markzuckerberg { "id": "4", "name": "Mark Zuckerberg", "first_name": "Mark", "last_name": "Zuckerberg", "link": "https://www.facebook.com/zuck", "username": "zuck", "hometown": { "id": "105506396148790", "name": "Dobbs Ferry, New York" }, "location": { "id": "104022926303756", "name": "Palo Alto, California" }, "bio": "I'm trying to make the world a more open place.", "quotes": ""Fortune favors the bold."rn- Virgil, Aeneid X.284rnrn"All children are artists. The problem is how to remain an artist once you grow up." rn- Pablo Picassornrn"Make things as simple as possible but no simpler."rn- Albert Einstein", "work": [ { "employer": { "id": "20531316728", "name": "Facebook" }, Vanity name or UID (User Id) No access token needed for public objects By default, every field are returned. 121
  122. 122. Facebook Graph API Introspection GET graph.facebook.com/markzuckerberg?metadata=1 { "id": "4", "name": "Mark Zuckerberg", "first_name": "Mark", … "metadata": { "connections": { "home": "https://.../home?access_token=CAAKz…", "feed": "https://.../feed?access_token=CAAKz…", "friends": "https://.../friends?access_token=CAAKz…", "mutualfriends": "https://.../mutualfriends?access_token=CAAKz…", "family": "https://.../markzuckerberg/family?access_token=CAAKz…", … "fields": [ { "name": "id", "description": "The user's Facebook ID…" }, { "name": "name", "description": "The user's full name… }, … … 122
  123. 123. Facebook Graph API Selecting fields/connections GET https://graph.facebook.com/me/friends?access_token=… &fields=name,birthday { } "data": [ { "name": "Eric Therene", "birthday": "12/22/1968", "id": "1027414115" }, { "name": "Jeremy Marois", "birthday": "01/23/1990", "id": "1329818667" }, … ] Can filter fields AND connections 123
  124. 124. Facebook Graph API Global Limit GET https://graph.facebook.com/me/albums?access_token=… &limit=5 { "id": "702008335", "albums": { "data": [ { "id": "10151819411378336", "from": { "name": "Fabrice Delhoste", "id": "702008335" }, "name": "Instagram", "link": "https://www…", "cover_photo": "10151819411413336", "privacy": "everyone", "count": 10, My last 5 photo albums … 124
  125. 125. Facebook Graph API Field Limit GET https://graph.facebook.com/me?access_token=… &fields=albums.limit(5) { "id": "702008335", "albums": { "data": [ { "id": "10151819411378336", "from": { "name": "Fabrice Delhoste", "id": "702008335" }, "name": "Instagram", "link": "https://www…", "cover_photo": "10151819411413336", "privacy": "everyone", "count": 10, My last 5 photo albums Same as previous. … 125
  126. 126. Facebook Graph API Mixing fields and limits GET https://graph.facebook.com/me?access_token=… &fields=albums.limit(5).fields( name, photos.limit(1).fields( name, picture ) ) { "id": "702008335", Name and picture of each "albums": { first photo of my last 5 "data": [ photo albums. { "name": "Instagram", "id": "10151819411378336", "created_time": "2013-07-25T08:49:09+0000", "photos": { "data": [ { "name": "Mod…", "picture": "https://fbcdn…”, … 126
  127. 127. Facebook Graph API Cursor-based Pagination • Cursor-based • • • Cursor marks an invariant point in a list of data Preferred pagination (consistent even if objects have been created or deleted in the meantime you got the page) Not currently supported among all object types • • Supported: photos, albums, links, notes, admins, comments, likes, … 2 request parameters: before, after 127
  128. 128. Facebook Graph API Cursor-based Pagination GET https://graph.facebook.com/283864466145_10151727303376146/likes { "data": [ Get likes of this page post id. { "id": "1018544972", "name": "Tyrion Lannister" }, { "id": "100000974199494", Before (or after) is always included. "name": "Cersei Lannister" }, Useful to poll for updates. … "paging": { "cursors": { "after": "MTMwMjc5OTMxOQ==", Include link to paginate. "before": "MTAxODU0NDk3Mg==" }, "next": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&after=MTMwMjc5OTMxOQ%3D%3D" } } 128
  129. 129. Facebook Graph API Cursor-based Pagination GET https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25 &after=MTMwMjc5OTMxOQ%3D%3D { ! "data": [ { "id": "1018544972", "name": "Tyrion Lannister" }, … Moving forward "paging": { "cursors": { "after": "MTU4NDc4MjE4MQ==", "before": "MTM5NjgxODI0OA==" }, "previous": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&before=MTM5NjgxODI0OA%3D%3D", "next": "https://graph.facebook.com/283864466145_10151727303376146/likes? limit=25&after=MTU4NDc4MjE4MQ%3D%3D" } } 129
  130. 130. Facebook Graph API Offset-based Pagination • Offset-based • • Supported by all objects • Can be combined with other type of pagination • • Marks an offset point and a number of objects in a list of data Used when chronology is useless 2 request parameters: limit, offset 130
  131. 131. Facebook Graph API Offset-based Pagination https://graph.facebook.com/me/friends?access_token=… &limit=10 &offset=10 Get friend number at current indexes [10-20] { "data": [ { "name": "Luke Skywalker", "id": "100004245228110" } … ], "paging": { "next": "https://graph.facebook.com/702008335/friends? limit=10&offset=20&access_token=CAAKzZB...&__after_id=739453773", "previous": "https://graph.facebook.com/702008335/friends? limit=10&offset=0&access_token=CAAKzZB...&__before_id=695205969" } } 131
  132. 132. Facebook Graph API Time-based Pagination • Time-based • • • Timestamps pointing to specific times in a list of data Less accurate than Cursor 2 request parameters: since, until 132
  133. 133. Facebook Graph API Time-based Pagination https://graph.facebook.com/me/home?access_token=… &limit=5 Usage of since and until expressed as number of seconds since January 1 1970 00:00:00 UTC { "data": [ { "name": "Luke Skywalker", "id": "100004245228110" } … ], "paging": { "previous": "https://graph.facebook.com/702008335/home? limit=5&access_token=CAAK...&since=1386678619&__previous=1", "next": "https://graph.facebook.com/702008335/home? limit=5&access_token=CAAK...&until=1386675900" } } 133
  134. 134. Facebook Graph API Multiple objects at once https://graph.facebook.com/?access_token=… &ids=4,5,6 &fields=username { "4": { "username": "zuck", "id": "4" }, "5": { "username": "ChrisHughes", "id": "5" }, "6": { "username": "moskov", "id": "6" } } 134
  135. 135. Facebook Graph API Date & Locale • Dates • • Add "date_format" request parameter to override • • By default, ISO-8601 Syntax: http://php.net/manual/en/function.date.php Locale • • • Add "locale" request parameter to override default Syntax: https://www.facebook.com/translations/FacebookLocales.xml For further information: • https://developers.facebook.com/docs/reference/api/dates/ • https://developers.facebook.com/docs/reference/api/locale/ 135
  136. 136. Graph API Publishing • POST HTTP request • Access token required with right permissions • Examples • Post a status or a picture • Like something • Post comments 136
  137. 137. Graph API Publishing Basic Example POST https://graph.facebook.com/me/feed?access_token=… &message=This is a default message. Every object: https://developers.facebook.com/docs/graph-api/reference { "id": "702008335_10152142129743336" } 137
  138. 138. Graph API Publishing Post a like POST https://graph.facebook.com/702008335_10152142129743336/likes? access_token=… Like is a special case: it has no id. true 138
  139. 139. Graph API Publishing Privacy • Add "privacy" parameter to post requests • • • Application privacy setting sets the ceiling for this value Ex: if app is defined at FRIENDS, posting to public is not allowed). Privacy can be set to: • • ALL_FRIENDS: direct friends • FRIENDS_OF_FRIENDS: level 2 • SELF : only me can see this (useful to test on real accounts) • • EVERYONE: public CUSTOM: in this case, it is possible to fine-tune (like with web interface) Only applies to Posts to the user’s own timeline (ex: not applied to events) 139
  140. 140. Graph API Publishing Privacy Settings 140
  141. 141. Graph API Publishing Posting to friends POST https://graph.facebook.com/me/feed?access_token=… &privacy={"value":"ALL_FRIENDS"} &message=This is a message to all of my friends. { "id": "702008335_10152142129743336" } 141
  142. 142. Graph API Publishing Posting to Friends except a friend list POST https://graph.facebook.com/me/feed?access_token=… &privacy={ "value":"CUSTOM", "allow":"ALL_FRIENDS", "deny":"10150382806413336,10150382789648336"} &message=This is a message with custom privacy. These are ids of "acquaintances" and "family" friend lists. ! This can also be user ids to exclude specific people. { "id": "702008335_10152142133908336" } 142
  143. 143. Graph API Publishing Photos • 2 ways: • Upload photo to the app’s album or an existing one • • Create the app’s album if necessary. Album’s name is App name + Photos. Publish an existing web photo • Just from its URL 143
  144. 144. Graph API Example - Publishing Photos (upload) POST https://graph.facebook.com/me/photos?access_token=… &privacy={"value":"ALL_FRIENDS"} &message=Great city. ! content-type: multipart/form-data; boundary=——WebKitFormBoundaryV… … ———WebKitFormBoundaryV… Content-Disposition: form-data; name="source"; filename="marseille.jpg" Content-Type: image/jpeg ! … Id of the photo object. Id of the post object. HTTP Multipart request. Behind the scene (Postman will send this). { "id": "10152142262128336", "post_id": "702008335_10152142255908336" } 144
  145. 145. Graph API Example - Publishing Photos (web) POST https://graph.facebook.com/me/photos?access_token=… &privacy={"value":"ALL_FRIENDS"} &message=Great city. &url=https://www.google.fr/images/srpr/logo11w.png Facebook will download the photo. Id of the photo object. Id of the post object. { "id": "10152142286438336", "post_id": "702008335_10152142255908336" } 145
  146. 146. Graph API Updating • POST HTTP request • Over simple: fields and value to update • Same permissions as publishing 146
  147. 147. Graph API Updating Basic Example POST https://graph.facebook.com/702008335_10152143278443336?access_token=… &message=This is a modified message. Simply POST to the object. Cannot update everything (ex: privacy) true 147
  148. 148. Graph API Deleting • DELETE HTTP request • Access token required with permissions. • Alternative: POST with "method=delete" parameter 148
  149. 149. Graph API Deleting Basic Example DELETE https://graph.facebook.com/702008335_10152143278443336?access_token=… ! or ! POST https://graph.facebook.com/702008335_10152143278443336?access_token=… &method=delete true 149
  150. 150. Graph API Deleting Delete a like DELETE https://graph.facebook.com/702008335_10152143302288336/likes?access_token=… Remember : like is not a root object. true 150
  151. 151. Graph API Searching • GET /search?q=… • Access token required • • • Pages & places: app access token Others: user access token No public Graph Search API yet • Example: "My friends that play Candy Crush Saga" 151
  152. 152. Graph API Searching Searchable Types • Post • Group • User • Checkin • Page • Place • Event • Location ! ! 152
  153. 153. Graph API Searching Example GET https://graph.facebook.com/search?access_token=… &q=fabrice delhoste &type=user { "data": [ { "name": "Fabrice Delhoste", "id": "702008335" } ], "paging": { "next": "https://graph.facebook.com/search? type=user &q=fabrice+delhoste &access_token=CAAK… &limit=5000 &offset=5000 &__after_id=702008335" } } 153
  154. 154. Facebook Graph API Batch • Group requests together • More efficient • Several Graph API calls in a single HTTP request 154
  155. 155. Facebook Graph API Batch • A set of HTTP requests/responses as JSON array • Can mix up to 50 requests with different access tokens or single shared access token • GET, POST, and DELETE supported. • Multipart attachments (ex: photos) • Can depend on each other thanks to JSONPath • • • Selectively extract data from JSON structure with JSONPath subset. JSONPath is a JSON query language. See http://goessner.net/articles/JsonPath/ Timeouts : null response (all or part) in JSON response 155
  156. 156. Facebook Graph API Batch Basic Example POST https://graph.facebook.com/?access_token=… Post to root / batch=[ { "method":"POST","relative_url":"me/feed", "body":"message=Happy"}, { "method":"GET", "relative_url":"me/feed?limit=1"} batch = HTTP Request Body ] Post a status and read it immediately after (assuming no concurrent status). [ { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, … ], "body": "{n "id": "702008335_10152143594348336"n}" }, { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, … ], "body": "{n "data": [n {n "id": "702008335_643……………… }n}" } ] 156
  157. 157. Facebook Graph API Batch Messy Example POST https://graph.facebook.com/?access_token=… batch=[ { "method":"POST","relative_url":"me/feed", "body":"message=Happy%26privacy=%257B%2522value%2522%253A%2522SELF%2522%257D"}, { "method":"GET", "relative_url":"me/feed?limit=1"} ] [ { Double URL-encoding needed !!! "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, … ], "body": "{n "id": "702008335_10152143594348336"n}" }, { "code": 200, "headers": [ {"name": "Cache-Control","value": "private, no-cache, no-store, must-revalidate"}, … ], "body": "{n "data": [n {n "id": "702008335_643……………… }n}" } ] 157
  158. 158. Facebook Graph API Batch Advanced Example By default, responses from request used as a dependency (here ) are not returned to avoid overhead. omit_response_on_success forces response. POST https://graph.facebook.com/?access_token=… batch=[ ! ! ! { "method":"GET", "relative_url":"me/friends", "name":"friends", "omit_response_on_success":false }, { "method":"GET", "relative_url":"?ids={result=friends:$.data.*.id}" } ] JSONPath expression. Syntax: {result=requestname:<jsonpath>} 158
  159. 159. Facebook Graph API Errors { "error": { "message": "Message describing the error", "type": "OAuthException", "code": 190 , "error_subcode": 460 } } No official full documentation for error codes !!! https://developers.facebook.com/docs/graph-api/using-graph-api/#errors Google is your friend. 159
  160. 160. Facebook Graph API Old REST API • Before Graph API • Absolutely not REST • https://api.facebook.com/method/{methodname} • Deprecated • Still in use in some apps. 160
  161. 161. Facebook Graph API Practical Work • In Postman, create a new collection named "FB Graph API" and build HTTP requests to: • Get your profile • Get the birthday of one of your friend • Get all of your friends’ birthday • Get 3 friend profiles at once • Get your 10 first friends • Get list from friend number 10 to friend number 20 161
  162. 162. Facebook Graph API Practical Work • Get the photos of this album • Create a photo album with privacy SELF • Add a web photo to this album • Post a message with custom privacy (allow/deny some testers) • Like this post • Get this post metadata 162
  163. 163. Facebook Graph API Practical Work • Get this post likes • Delete this like • Get your home newsfeed (homepage recent stream) • Get the messages of 50 latest newsfeed posts with their 3 last comment messages • Run a full text search for a pattern in your newsfeed retrieving only the message of the 5 first matches 163
  164. 164. Facebook Graph API Practical Work • Create a secret event • Introspect this event • Invite other testers to this event • Ask one of the testers to attend the event • Get the list of attendees 164
  165. 165. Facebook Graph API Practical Work • Upload a photo to this event with a short message • Get the event feed • Delete this event • Write a batch request to create and invite to an event at the same time 165
  166. 166. Facebook Facebook Query Language (FQL)
  167. 167. Facebook Query Language (FQL) • https://developers.facebook.com/docs/reference/fql • Limited SQL subset • • One table, no JOIN, no LIKE, no COUNT(*), no GROUP BY, no star for multiple columns *, More power than Graph API • • • Better filtering option Access to more information (ex: friend requests) Read-only virtual private database ! • Facebook actually exposes a database with more than 1 billion users ! 167
  168. 168. Facebook Query Language (FQL) Tables album app_role application apprequest checkin column comment comments_info connection cookies developer domain domain_admin event event_member family friend friend_request friendlist friendlist_member group group_member insights like link link_image_src link_stat location_post mailbox_folder message note notification object_url offer page page_admin page_blocked_user page_fan page_global_brand_child page_milestone permissions permissions_info photo photo_src photo_tag place privacy privacy_setting profile profile_pic profile_tab profile_view question question_option question_option_votes review score square_profile_pic square_profile_pic_size standard_friend_info standard_user_info status stream stream_filter stream_tag subscription table thread translation unified_message unified_message_count unified_message_sync unified_thread unified_thread_action unified_thread_count unified_thread_sync url_like user video video_tag 168
  169. 169. Facebook Query Language (FQL) Query Syntax select_expr can be a field or a function of a field. Cannot use * (star) Only 1 table Only 1 order by expression Offset-based Pagination SELECT select_expr [, select_expr ...] FROM table_reference WHERE where_condition [ORDER BY {col_name | expr | position} [ASC | DESC]] [LIMIT {[offset,] row_count | row_count OFFSET offset}] where_condition is composed of: ! Logical operators: OR, AND, NOT IN (subquery) IN (expr [, expr] …) = != <> < > <= >= + - * / Grouping with parenthesis () Functions (next slides) 169
  170. 170. Facebook Query Language (FQL) Sending FQL Query https://graph.facebook.com/fql?access_token=… &q=SELECT name FROM user WHERE uid=me() Obviously, the query must be URLencoded (not here for readability) me() is the user authenticated by the access_token JSON result: array of objects enclosed in data { "data": [ { "name": "Tyrion Lannister" } ] } 170
  171. 171. Facebook Query Language (FQL) Subqueries My friends and me with our square picture SELECT name, pic_square FROM user WHERE uid = me() OR uid IN (SELECT uid2 FROM friend WHERE uid1 = me()) User Id is IN the result of the nested query 171
  172. 172. Facebook Query Language (FQL) Pagination SELECT name FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me()) LIMIT 10 10 first friends 172
  173. 173. Facebook Query Language (FQL) Pagination SELECT name FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=me()) LIMIT 10,10 10 next friends ! Identical to LIMIT 10 OFFSET 10 173
  174. 174. Facebook Query Language (FQL) Sending multiple queries at once GET https://graph.facebook.com/fql?q={ "query1": "SELECT uid, rsvp_status
 FROM event_member
 WHERE eid=219790564859590", "query2": "SELECT name, url, pic
 FROM profile
 WHERE id IN (SELECT uid FROM #query1)" } #query1 is a reference to the results of first query (named "query1"). Use hash symbol to reference. Name your queries { Query 1: get the members invited to an event (12345678) Query 2: get the profile details of the attendees "data": [ { "name": "query1", "fql_result_set": [{"uid":702008335,"rsvp_status": "attending" } ]}, { "name": "query2", "fql_result_set": [ { "name": "Fabrice Delhoste", "url": "https://www.facebook.com/fabricedelhoste", "pic": "https://fbcdn-profi…" } ] } ] } 174
  175. 175. Facebook Query Language (FQL) Data Types • string • unsigned int32 • bool • struct • array<…> • object<…,…> • id • number • timestamp • list • int32 175
  176. 176. Facebook Query Language (FQL) Indexable Columns • Every table has one or more index-able columns • IMPORTANT: FQL query MUST have at least one index-able column in WHERE clause. Marked with "magnifier" icon in FQL reference documentation 176
  177. 177. Facebook Query Language (FQL) Functions • me(): guess who? • now(): guess when? • rand(): random number • concat(…, …): concatenate • strlen(string): length of string 177
  178. 178. Facebook Query Language (FQL) Functions • substr(string, start, length): substring • strpos(haystack, string): search string in haystack • Use it to achieve "LIKE" • upper(string): convert string to uppercase • lower(string): convert string to lowercase • distance(latitude, longitude, "float", "float"): used for geolocation 178
  179. 179. Facebook Query Language (FQL) Functions SELECT concat(substr(first_name,0, 1), substr(last_name, 0, 1)) FROM user WHERE uid IN ( SELECT uid2 FROM friend WHERE uid1 = me()) Returns all friends’ initials. anon is the result of the function { "data": [ { "anon": "TL" }, { "anon": "JS" }, … 179
  180. 180. Facebook Graph API Practical Work • In Postman, create a collection named "FB FQL" and build HTTP requests to: • Get my profile (hometown, birthday, …) • Get my last status • Get all of my events • Get all photos I’m tagged into • List friends sorted by their name length • Search friend from a pattern • Find and order the 10 friends with highest number of mutual friends • Find name of online friends 180
  181. 181. Facebook Graph API Practical Work • Get your unread notifications (simulate them) • Get pages and their number of fans I’m following (look to connection table) • Get all photos from latest modified album from most recent to oldest • Find name of all friends but family • Find all singles out of your friends • Write a batch that finds singles and post "Hello" concatenated with all of their first names • Get latest one-week photos from all of your friends (most recent first) • Get each friend list your friends belongs to (for each friend) 181
  182. 182. Facebook Developer Tools
  183. 183. Test Users Facility to create fake users for testing purposes
  184. 184. Facebook Developer Tools Test Users? • https://developers.facebook.com/docs/test_users/ • Used for development and debugging purposes • Test Users = Fake Users • • • Avoid confusing with Testers = Real Users !!! Invisible, no interaction with real users 2000 test users per app max. 184
  185. 185. Facebook Developer Tools Test Users Creating and Deleting Test Users (GUI) Testers = Real Users Test Users = Fake Users
  186. 186. Facebook Developer Tools Test Users Getting Test Users GET https://graph.facebook.com/760835680597440/accounts/test-users? access_token=… App access token { "data": [ { "id": "100007272790057", "access_token": "CAAKzZBdx5…", "login_url": "https://www.facebook.com/platform/ test_account_login.php?user_id=100007272790057&n=FlFJkyssketSX9Y" }, … } 186
  187. 187. Facebook Developer Tools Test Users Creating a test user (API) GET https://graph.facebook.com/760835680597440/accounts/test-users? &access_token=… app id &name=Tyrion Lannister &locale=en_US &installed=true &permissions=read_stream Is the application installed to this user at creation? &method=post If installed=true, these are the permissions given to the application. login_url allows direct login (no password). { "id": "100007176673155", "email": "tyrion_jihlktz_lannister@tfbnw.net", "access_token": "CAAKzZBdx5…", "login_url": "https://www.facebook.com/platform/ test_account_login.php?user_id=100007176673155&n=tR7yCoyWqEw1Wfu", "password": "1890805985" } 187
  188. 188. Facebook Developer Tools Test Users Deleting a test user https://graph.facebook.com/100007176673155? access_token=… User access token or app access token true 188
  189. 189. Facebook Developer Tools Test Users Update Test Users username and password GET https://graph.facebook.com/100007176673155? &access_token=… &password=thrones &name=Cersei Lannister &method=post true 189
  190. 190. Facebook Developer Tools Test Users Making Friends POST (friend request) https://graph.facebook.com/100007176673155/friends/100007272790057? access_token=… ! then ! POST (friend confirmation) https://graph.facebook.com/100007272790057/friends/100007176673155? access_token=… User access token (the user to add friend to) true 190
  191. 191. Facebook Developer Tools Test Users Adding test users to other apps GET https://graph.facebook.com/APP_ID/accounts/test-users? installed=true &permissions=read_stream &uid=TEST_USER_ID &owner_access_token=… &access_token=… &method=post App access token to add the user from App access token to add the user to true 191
  192. 192. Facebook Developer Tools Test Users Practical Work • In Postman, create a "FB Test Users" collection where you build HTTP requests to: • Create 3 test users: Bob, Joe, and Larry • Make Bob friend with Joe • Request Larry to be friend with Joe • Use Graph API Batch to get friends and friendrequests • Use Graph API Batch to delete them all 192
  193. 193. Facebook Support & Maintenance
  194. 194. Roadmap • developers.facebook.com/roadmap/ Review frequently. 194
  195. 195. Breaking Changes and Migration Policy • 90-day breaking change policy. • Breaking change automatically enabled for new apps. • Recommendation: asap ! • TODO : App Dashboard / Migration 195
  196. 196. Platform Status • developers.facebook.com/live_status/ JSON Events History 196
  197. 197. Bugs • developers.facebook.com/bugs/ Subscribe to bugs (email alert) Communicate with Facebook Problem description 197
  198. 198. Beta Tier • developers.facebook.com/docs/support/beta-tier/ • Desktop: www.beta.facebook.com • Mobile Web: m.beta.facebook.com • Apps in Canvas: apps.beta.facebook.com • Graph API: graph.beta.facebook.com • Code changes: • Beta on Sunday evenings (Pacific time) • Production on Tuesday evenings 198
  199. 199. Stay tuned developers.facebook.com/blog @FacebookDevRel
 @fb_engineering 199
  200. 200. Facebook Chat API
  201. 201. Facebook Chat API • https://developers.facebook.com/docs/chat/ • XMPP • • • eXtensible Messaging and Presence Protocol Custom with limitations. Ex: authentication, presence, … Use one of the numerous XMPP client framework • Ex: Smack in Java Not (yet?) covered in this course. 201
  202. 202. Facebook Open Graph
  203. 203. Open Graph Object and Action Model • Facebook internal graph have limited interactions • • Open Graph turns any web page into an object Object and Action model Not (yet?) covered in this course. 203
  204. 204. Facebook Real-time Updates
  205. 205. Facebook Realtime Updates • Push model • • Subscribe to data changes • • vs Polling model Facebook calls your server with POST request Caching data • Ex: synchronize friend information 205
  206. 206. Facebook Realtime Updates Publicly Supported Objects • User • Limited to: feed, friends, activities, interests, music, books, movies, television, likes, checkins, location, events. • Permissions • Payments and Payment Subscriptions • Errors • Page • Limitations 206
  207. 207. Facebook Realtime Updates Dashboard • With recent new dashboard, FB removed the panel !!! • Workaround: https://developers.facebook.com/apps/{appId}/ realtime?ref=nav 207
  208. 208. Facebook Realtime Updates Dashboard 208
  209. 209. Facebook Realtime Updates How to proceed • 3 steps • Register your server (dashboard or API) • Respond correctly to a ping GET request • Starts listening for POST requests 209
  210. 210. Facebook Realtime Updates API • https://graph.facebook.com/{appId}/subscriptions • Listing subscriptions : GET • Adding or modifying subscriptions : POST • Query parameters: • • callback_url : our server endpoint • • fields : a comma-separated list of object properties to be updated about • • object : the object to be updated about verify_token : a verify token sent to our server Will send GET request to callback_url in order to validate your server Deleting subscriptions : DELETE 210
  211. 211. Facebook Realtime Updates Your Callback Server • Two endpoints needed: • • • Subscription Verification Receiving Updates HTTPS preferred 211
  212. 212. Facebook Realtime Updates Your Callback Server Subscription Verification • Query parameters • • hub.challenge: random • • hub.mode : "subscribe" hub.verify_token: defined at subscription Verify hub.verify_token • • Check origin is Facebook Return hub.challenge in the response • Prevents DDoS 212
  213. 213. Facebook Realtime Updates Your Callback Server Subscription Verification http://mycallbackserver.com/?hub.mode=subscribe &hub.challenge=677173267 &hub.verify_token=thisisme Verify the token. If OK, echoes the challenge back to Facebook to validate the registration. 677173267 213
  214. 214. Facebook Realtime Updates Your Callback Server Receiving Updates • JSON • No content, only notification about content • Request needed to get details (Graph API or FQL) • Example: notified about changes to ‘friends’ field • Batch updates: possibly multiple notifications at once • Retry policy • Payload signed in HTTP header • SHA-1 Signature in HTTP header named ‘X-Hub-Signature’ 214
  215. 215. Facebook Realtime Updates Your Callback Server Receiving Updates POST http://mycallbackserver.com/ ! { } "object":"user", "entry":[ { "uid":"100001555554986", "id":"100001555554986", "time":1387128215, "changed_fields":["hometown"] } ] Here’s the fields that have been updated. If you need details, you can use Graph API or FQL. 215
  216. 216. Facebook Realtime Udates Practical Work • If this is possible for your network (NAT, tunnel, reverse proxy…), implement a Java servlet: • Responding to RTU ping • Simulate and start receiving updates for user updates such as hometown • • Bonus: verify signature :-) Get the user’s new hometown • Register it to RTU • In Postman, create a HTTP Collection named "RTU Facebook" • Write all HTTP requests to subscribe/unsubscribe/list RTU 216
  217. 217. Twitter
  218. 218. Twitter Overview
  219. 219. Twitter • Founded in 2006 • Jack Dorsey, Evan Williams, Biz Stone, and Noah Glass • 232 million monthly active users. • 100 million daily active users. • 176 million mobile users. • More than 340 millions tweets daily. 219
  220. 220. Twitter? • Social network and microblogging • Real-time information network • Ad network • Search engine • Identity provider across the web and mobile apps 220
  221. 221. Twitter Features • Tweet (140 chars message) • Mention • Timeline • Lists • Follow • Direct Message • Favorite • Search and Discover • Trending topics • Twitter Cards • Retweet • Twitter buttons • Hashtag 221
  222. 222. Twitter Features Interactions Following & Followers Personalized Content Profile Direct Message Go to Settings Post a tweet Search Suggestions Home Timeline Trends
  223. 223. Twitter Tweet? Twitter account Text Hyperlink Mention Hashtag Tweet to reply Copy/paste to your followers Mark as favorite
  224. 224. Twitter Concerns • Sustainability • Competitors • Facebook • Google • Whatsapp? • … 224
  225. 225. Twitter References • www.twitter.com • dev.twitter.com 225
  226. 226. Twitter Platform
  227. 227. Twitter Platform? • A real-time messaging infrastructure • • • Develop applications on top of Twitter APIs Access data in Twitter For: • External websites • Devices and Mobiles apps 227
  228. 228. Twitter Platform APIs • Current release: 1.1 • REST API • • Poll-based system - pseudo real-time Streaming API • Long-lived real-time connections • Authentication: mostly oAuth 1.0 • JSON 228
  229. 229. Twitter Platform Objects Metadata and contextual information (extracted hashtags, urls, media, mentions, …) 229
  230. 230. Twitter Platform Objects Tweets • { https://dev.twitter.com/docs/platform-objects/tweets Beware of the accuracy on id (ex: in "created_at": "Sun Dec 15 12:13:22 +0000 2013", "id": 412193666464489472, Javascript). Prefer id_str if they are different. "id_str": "412193666464489472", "text": "The old adage that "People are hired for their talents and fired for their behavior" is true. http://t.co/evY73iGtyI", "source": "<a href="http://www.socialflow.com" rel="nofollow">SocialFlow</a>", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, Contains user’s details. See User object. "user": { … }, "geo": null, "coordinates": null, Location. See Place object. "place": null, "contributors": null, "retweet_count": 40, Contains metadata of this tweets such as hashtags, "favorite_count": 30, urls, … "entities": { … }, "favorited": false, See Entities object. "retweeted": false, "possibly_sensitive": false, "lang": "en" 230 }
  231. 231. Twitter Platform Objects Users • https://dev.twitter.com/docs/platform-objects/users "user": { "id": 13348, "id_str": "13348", "name": "Robert Scoble", "screen_name": "Scobleizer", "location": "Half Moon Bay, California, USA", "description": "@Rackspace's Startup Liaison Officer, who grew up in Silicon Valley, brings you technology news, videos, and opinions.", "url": "http://t.co/EIFG1Db6U8", "entities": { … }, Metadata extracted from user’s "protected": false, description. See Entities object. "followers_count": 371652, "friends_count": 40759, "listed_count": 23418, "created_at": "Mon Nov 20 23:43:44 +0000 2006", "favourites_count": 56779, "utc_offset": -28800, "time_zone": "Pacific Time (US & Canada)", "geo_enabled": true, "verified": true, "statuses_count": 65327, "lang": "en", … }, 231
  232. 232. Twitter Platform Objects Entities • https://dev.twitter.com/docs/platform-objects/entities "entities": { "hashtags": [], "symbols": [], "urls": [ { "url": "http://t.co/h6IsNNn3n7", "expanded_url": "http://j.mp/1ctMGrZ", "display_url": "j.mp/1ctMGrZ", "indices": [103,125] } ], "user_mentions": [ { "screen_name": "FastCoLabs", "name": "FastCoLabs", "id": 1114932710, "id_str": "1114932710", "indices": [3,14] }, { "screen_name": "johnpaul", "name": "John Paul Titlow", "id": 3144021, "id_str": "3144021", "indices": [129,138] } ] } Indexes of the string in the text associated to this URL 232
  233. 233. Twitter Platform Objects Places • https://dev.twitter.com/docs/platform-objects/places "place": { "attributes":{}, "bounding_box": { "coordinates": [[ [-77.119759,38.791645], [-76.909393,38.791645], [-76.909393,38.995548], [-77.119759,38.995548] ]], "type":"Polygon" }, "country":"United States", "country_code":"US", "full_name":"Washington, DC", "id":"01fbe706f872cb32", "name":"Washington", "place_type":"city", "url": "http://api.twitter.com/1/geo/id/01fbe706f872cb32.json" } 233
  234. 234. Twitter Platform Terms & Conditions • It’s free! • Twitter has the right to blacklist your application • Twitter has rate limits • Twitter has the right to change the rights • …it’s free! 234
  235. 235. Facebook Platform API Limitations • API is very open…but also rate-limited. • See https://dev.twitter.com/docs/rate-limiting/1.1 for global policy. • • Caching, prioritize active users, fair use, streaming api, … Each API function has documented rate-limits • https://dev.twitter.com/docs/rate-limiting/1.1/limits • Depending on the authentication (user or app) 235
  236. 236. Twitter Platform Creating and Configuring an Application
  237. 237. Twitter Platform Creating and configuring an application Used during oath callback for access token 237
  238. 238. Twitter Platform Creating and configuring an application Consumer Key and Consumer Secret. Never reveal Consumer Secret ! 238
  239. 239. Twitter Platform Creating and configuring an application Permissions 239
  240. 240. Facebook Graph API Practical Work • Create a Twitter account • Create your own Twitter application • Full access • Define oauth_callback url to whatever is supposed to be your server (we won’t develop our server in this training) 240
  241. 241. Twitter Authentication & Authorization
  242. 242. Twitter Authentication & Authorization • oAuth 1.0 - access token used in request signatures • Application-user authentication • • • to read/write on behalf of a Twitter user oAuth 1.0a - requests are signed Application-only authentication • • • to read/write on behalf of a Twitter application oAuth 2 (client credentials grant) Tokens do not expire • Except when user revokes your application or Twitter suspends your application 242
  243. 243. Twitter Authentication & Authorization Application-user Authentication
  244. 244. Twitter Authentication & Authorization Application-user Authentication How to sign • How to sign user-level requests? • Make HTTP verb uppercase • Percent encode URL and every query parameters including oauth_* • • Sort this list alphabetically by encoded key+value and concatenate • • See https://dev.twitter.com/docs/auth/percent-encoding-parameters payload = "{uppercase http verb}&{encoded url}&{encoded key}={encoded value}&{encoded key} ={encoded value}&…" Compute signature: • key = {consumer_secret}&{oauth_token_secret} • HMAC-SHA1(key, payload) 244
  245. 245. Twitter Authentication & Authorization Application-user Authentication Payload to sign POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses %2Fupdate.json&include_entities%3Dtrue%26oauth_consumer_key %3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce %3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1318622958%26oauth_token%3D370773112GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version %3D1.0%26status%3DHello%2520Ladies%2520%252B%2520Gentlemen%252C %2520a%2520signed%2520OAuth%2520request%2521 This is an example of a payload to sign 245
  246. 246. Twitter Authentication & Authorization Application-user Authentication Signature example POST /1/statuses/update.json?include_entities=true HTTP/1.1 Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0" Content-Length: 76 Host: api.twitter.com ! status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21 After signature 246
  247. 247. Twitter Authentication & Authorization Application-user Authentication Authorization Header Details • Authorization HTTP Header contains: • oauth_consumer_key: API key, found in Twitter application dashboard • oauth_nonce: random and unique for every request (anti-replay) • oauth_signature: cryptographic signature of the request • oauth_signature_method: currently HMAC-SHA1 • oauth_timestamp: seconds since epoch • oauth_token: the user access token previously obtained • oauth_version: currently 1.0 247
  248. 248. Twitter Authentication & Authorization Application-user Authentication Obtaining access token • To obtain a user access token • • Interact with the user • • Get a request token Exchange code for access token from server Used to interact on behalf of a user 248
  249. 249. Twitter Authentication & Authorization Application-user Authentication Step 1 - Get a request token POST https://api.twitter.com/oauth/request_token Content-type: application/x-www-form-urlencoded Authorization: OAuth realm="https%3A%2F%2Fapi.twitter.com", oauth_consumer_key="LGYbJs9HKa7PgovBM92uQ", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1386164583", oauth_nonce="8MWKpm", oauth_version="1.0", URL encoded Must be defined in oauth_signature="jsrz82u61LrG0QeaRNDx0emXyLY%3D" Dashboard Settings ! oauth_callback=http%3A%2F%2Ffabrice.delhoste.com oauth_token: here’s the request token to use for step 2 & 3 oauth_token_secret: used in signature computation for step 3 WARNING: In POSTMAN oAuth 1.0, token and token secret must remain empty for now. oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc &oauth_token_secret=Lbx2VlADy9wZfhOyzKa4ukeSXSRUEcXoyvGAZOAwSg &oauth_callback_confirmed=true 249
  250. 250. Twitter Authentication & Authorization Application-user Authentication Step 2 - User interaction In browser (GET): https://api.twitter.com/oauth/authenticate? oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc Request token "authorize" might be used if you want the user to confirm every time. If not, authenticate can be used only if enabled in dashboard: oauth_verifier is used to assess the user has taken part of an application approval process Redirected to: http://fabrice.delhoste.com/? oauth_token=yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc &oauth_verifier=Gmm1McgeK19qlP2zneLb2akKpgP9t2n0oc8GuWq3cZ8 250
  251. 251. Twitter Authentication & Authorization Application-user Authentication Step 3 - Exchange request token for an access token POST https://api.twitter.com/oauth/access_token Authorization: OAuth realm="https%3A%2F%2Fapi.twitter.com", oauth_consumer_key="LGYbJs9HKa7PgovBM92uQ", oauth_token="yWaXUQ8jxdlw7nAGbfdWFiUeJK9qeTD2dDhvJVWGc", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1386287051", oauth_nonce="ZWTbrv", oauth_version="1.0", oauth_signature="2Um29j9BNg94FmkKimtj3ZVMbxg%3D" ! oauth_verifier: Gmm1McgeK19qlP2zneLb2akKpgP9t2n0oc8GuWq3cZ8 WARNING: now, in POSTMAN oAuth 1.0, token must be set for signature. oauth_token=18229030-6lOPdgeL0rqluEeajCVOyMLoU2i0I4d8HfvOJBguA &oauth_token_secret=F1C3DUHjMii8Z6VWPl5BqaMrEGvRcislkQzBKB446zAM7 &user_id=18229030 &screen_name=spifd 251
  252. 252. Twitter Authentication & Authorization Application-only Authentication
  253. 253. Twitter Authentication & Authorization Application-user Authentication How to sign • How to sign application-level requests? • Use Authorization HTTP header with bearer token: • Ex: Authorization: Bearer AAAAAA… Bearer token 253
  254. 254. Twitter Authentication & Authorization Application-only Authentication Obtaining access token • To obtain a application-only access token (bearer token): • • POST to /oauth2/token with HTTP Basic authentication using consumer key as login and consumer secret as password Used to interact on behalf of an application • Ex: search tweets 254
  255. 255. Twitter API - Authentication & Authorization Application-only Authentication Obtaining an Application Access Token POST https://api.twitter.com/oauth2/token Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFxOVBaeVJn NmllS0dFS2hab2xHQzB2SldMdzhpRUo4OERSZHlPZw== Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=client_credentials Base64( urlencode({consumerKey}) + ":" + urlencode({consumerSecret}) ) Ex: base64(xvz1evFS4wEEPTGEFPHBog:L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg) ! In Postman, simply use HTTP Basic authentication filling login and password accordingly {“access_token”:”AAAAAAAAAAAA…", "token_type":"bearer"} 255
  256. 256. Twitter API - Authentication & Authorization Application-only Authentication Revoking an Application Access Token POST https://api.twitter.com/oauth2/invalidate_token Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFxOVBaeVJn NmllS0dFS2hab2xHQzB2SldMdzhpRUo4OERSZHlPZw== Content-Type: application/x-www-form-urlencoded;charset=UTF-8 access_token=AAAAAAAAAAAA… The bearer token to invalidate. Warning: Postman url-encodes. { "access_token": “AAAAAAAAAAAAA…” } 256
  257. 257. Twitter API Console by APIGee Explore Twitter API easily
  258. 258. Twitter API Console • https://dev.twitter.com/console (provided by Apigee) 258
  259. 259. Twitter Authentication & Authorization Practical Work • In Postman and your browser, build a "Twitter Auth" collection of HTTP requests to: • Get an Application-user access token • Get an Application-only access token • Invalidate an Application-only access token 259
  260. 260. Twitter REST API
  261. 261. Twitter REST API ? • https://api.twitter.com/ • Current release: 1.1 • Get data in and out of Twitter. • • Read, Publish, Delete, Search Authentication: oAuth 1.0 ! Note: in next slides, oAuth 1.0 signatures are omitted
 to ease readability 261
  262. 262. Twitter REST API • Resources-oriented • • • Every object has a unique identifier All data returned as JSON (or XML) Resources : https://api.twitter.com/1.1/{...} 262
  263. 263. Twitter REST API Resources Timelines Tweets Search Streaming Direct Messages Friends & Followers Saved Searches Users Places & Geo Suggested Users Favorites Lists OAuth Help Trends Spam Report 263
  264. 264. Twitter REST API Reading • GET • Permissions applied (access token) • Response: JSON • Timelines • • User timeline • • Home timeline Retweets and Mentions Tweets, Retweets, Retweeters, Direct Messages, Friends & Followers, Suggested Users, Favorites, Lists, ……. mostly everything you dream of. 264
  265. 265. Twitter REST API Home Timeline https://api.twitter.com/1.1/statuses/home_timeline.json [ { "created_at": "Sun Dec 15 10:11:57 +0000 2013", "id": 412163108439072800, "id_str": "412163108439072768", "text": "Goodbye Car Lanes: Madrid Wants To Take Back Streets For Pedestrians http://t.co/8b1iwNqYRS", "source": "<a href="http://www.socialflow.com" rel="nofollow">SocialFlow</a>", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { "id": 2735591, "id_str": "2735591", "name": "Fast Company", "screen_name": "FastCompany", "location": "New York, NY", "description": "Official Twitter feed for the Fast Company business media brand; inspiring readers to think beyond traditional boundaries & create the future of business.", "url": "http://t.co/LVE88WcJTX", "entities": { … }, … 265
  266. 266. Twitter REST API Pagination • count: maximum number of tweets to get (up to count) • max_id and since_id parameters • max_id: tweets lower than or equal to this id • since_id: new tweets since this id 266
  267. 267. Twitter REST API Pagination with max_id • max_id : tweets lower than or equal to this id Problem: page consistency Typical offset-based cursor problem: 2 new tweets, my page shifts Solution: use max_id max_id brings consistency whatever happens in the meantime 267
  268. 268. Twitter REST API Pagination with since_id • since_id : tweets greater than this id Best: combine since_id and max_id Imagine I have already processed tweet 9 and 10 I don’t want them again ! consistent paging 268
  269. 269. Twitter REST API Example https://api.twitter.com/1.1/statuses/home_timeline.json? &count=5 Get 5 latest tweets Last tweet from result [ … … … … … … … ! { "created_at": "Sun Dec 15 12:22:45 +0000 2013", "id": 412196025378820096, "id_str": "412196025378820096", "text": ".@Jeff Clavier #Kimaday presentationnThings startups need to know if they want to raise capital from Silicon Valley: http://t.co/xZVZW6wdP6", "source": "<a href="http://bitly.com" rel="nofollow">bitly</a>", "truncated": false, "in_reply_to_status_id": null, … } ] 269
  270. 270. Twitter REST API Example https://api.twitter.com/1.1/statuses/home_timeline.json? &max_id=412196025378820095 &count=5 Id-1 of the last tweet [ { "created_at": "Sun Dec 15 12:13:22 +0000 2013", "id": 412193666464489472, "id_str": "412193666464489472", "text": "The old adage that "People are hired for their talents and fired for their behavior" is true. http://t.co/evY73iGtyI", "source": "<a href="http://www.socialflow.com" rel="nofollow">SocialFlow</a>", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { "id": 2735591, "id_str": "2735591", "name": "Fast Company", "screen_name": "FastCompany", "location": "New York, NY", … … 270
  271. 271. Twitter REST API Publishing • POST with specific URL path • Access token required with permissions. 271
  272. 272. Twitter REST API Tweet ! POST https://api.twitter.com/1.1/statuses/update.json Content-Type: application/x-www-form-urlencoded Body: must be URL-encoded status=Hello http://www.yahoo.fr { "created_at": "Sun Dec 15 21:41:34 +0000 2013", Automatic URL shortener "id": 412336655019028480, "id_str": "412336655019028480", "text": "Hello http://t.co/YZjB4ccR4b", "source": "<a href="http://www.changeitlater.com" rel="nofollow ">Training-API</a>", "truncated": false, "in_reply_to_status_id": null, "in_reply_to_status_id_str": null, "in_reply_to_user_id": null, Returns the newly created tweet. "in_reply_to_user_id_str": null, "in_reply_to_screen_name": null, "user": { … 272
  273. 273. Twitter REST API Deleting • POST with specific URL path • • • Not DELETE Not a query parameter Access token required with permissions. 273
  274. 274. Twitter REST API Delete a tweet POST https://api.twitter.com/1.1/statuses/destroy/ 412342464415301632.json { "geo": null, "in_reply_to_user_id_str": null, "user": { "is_translator": false, "contributors_enabled": false, "profile_background_tile": false, "name": "TestSpi", "listed_count": 0, "lang": "en", "profile_sidebar_fill_color": "DDEEF6", "statuses_count": 5, … 274
  275. 275. Twitter REST API Searching • Search for tweets • • Fine-grained search based on location, language, … Search for users • Pagination with page & count parameters • Search for places • Save search • Trends 275
  276. 276. Twitter REST API Searching tweets GET https://api.twitter.com/1.1/search/tweets.json?q=iphone { "statuses": [ { "metadata": { "result_type": "recent", "iso_language_code": "ru" }, "created_at": "Tue Dec 17 16:31:16 +0000 2013", "id": 412983343559745536, "id_str": "412983343559745536", "text": "Допрос iPhone 5s: плюсы и минусы нового смартфона", "source": "<a href="http://c-ya.org/" rel="nofollow ">TwitApplet</a>", "truncated": false, 276
  277. 277. Twitter REST API Searching users https://api.twitter.com/1.1/users/search.json?q=lady&count=2 [ { Pagination with count and page parameters (see doc) "id": 14230524, "id_str": "14230524", "name": "Lady Gaga", "screen_name": "ladygaga", "location": "real life gypsy", "description": "A pop star from the 70's trapped in 2013. r nrn'You are a legend. Make a sculpture of you. Self-invention matters. You are the artist of your own life.' -#ARTPOP", "url": null, "entities": { "description": { "urls": [] } }, 277
  278. 278. Twitter REST API Practical Work • Create a "Twitter API" collection where you create HTTP requests to: • Get your Twitter timeline • Get 20 latest tweets from your timeline • Get next 10 next tweets • Get your timeline reducing payload just to the tweets • Post a tweet • Delete a tweet 278
  279. 279. Twitter REST API Practical Work • Favorite a tweet • Search tweets on behalf of an application • Search tweets on behalf of a user 279
  280. 280. Twitter Streaming API
  281. 281. Twitter Streaming API • https://dev.twitter.com/docs/streaming-apis • Receives realtime push data • Long-lived HTTP request • Never ending request • Parse response incrementally 281
  282. 282. Twitter Streaming API Streams • Public Streams • • User Streams • • Monitoring and collecting public data. Single user stream. Usually client-side. Site Streams • Multiple user stream at once. Server-side. 282
  283. 283. Twitter Streaming API Public Streams • Subscribing to public data • • Track keywords • • Track public accounts Track geolocated tweets 1 single connection 283
  284. 284. Twitter Streaming API User Streams • Subscribing to realtime updates on behalf of a single authenticated user • User himself/herself or following • Track keywords • Track geolocated tweets • Limited to a few connections • Do not use server-side • That would require too many connections 284
  285. 285. Twitter Streaming API Site Streams • Subscribing to realtime updates for a large number of users • Restricted (whitelist demand) • Limited Beta 285
  286. 286. Twitter Streaming API Practical Work • Use Netbeans to create a simple Maven Java console application project • Use Twitter Hosebird Client (hbc) to connect to your user stream • • Add as Maven dependency (pom.xml) • WARNING: this is rate-limited (error 420). Don’t connect too often till you’re sure about your code. • • https://github.com/twitter/hbc WARNING: current hbc implementation does not handle HTTP proxy - Fork and fix it in ClientBuilder class Use Apache HttpClient to cross post your tweets to a Facebook test user as they are received • • Add as Maven dependency (pom.xml) • • http://hc.apache.org/httpcomponents-client-4.3.x/quickstart.html Put a hard-coded access token Open your browser to both test user and Twitter to check • Follow temporarily someone active to generate tweets 286
  287. 287. Twitter Developer Tools
  288. 288. Twitter Support & Maintenance
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×