I can't make API requests with the Android Facebook SDK, or even get the user from the login callback - it always returns null.
Particularly, with the newMeRequest, I get the following error message:
{ "error": {
"message": "API calls from the server require an appsecret_proof argument",
"type": "GraphMethodException",
"code": 100 } }
Actually, it seems pretty obvious, because the flag is set to true in the Facebook app options. However, I know it is possible, for the mobile sdks, to make API requests without the secret. However, if I try to use the access token from the currentSession in the Facebook Graph API Debugger, the response will be the same as above.
I don't know if this is related to the new Android Facebook SDK, but my code is basically the same as in the examples. The login goes nicely and I get the session token but I can't make any API requests...
loginButton.setUserInfoChangedCallback(new LoginButton.UserInfoChangedCallback() {
@Override
public void onUserInfoFetched(GraphUser user) {
graphUser = user;
}
});
Request.newMeRequest(currentSession, new Request.GraphUserCallback() {
@Override
public void onCompleted(GraphUser user, Response response) {
}
}
}).executeAsync();
The only way that I was able to put it working, was by settings to No the App Secret proof for API calls in the advanced settings of the facebook App.
However, this is a fix, not a solve, since I wasn't able to do the request in the option set to Yes (as is possible in the iOS facebook sdk).
you need to add a parameter "appsecret_proof" to your request containg a 'sha256' hash of accessToken and appSecret
https://developers.facebook.com/docs/graph-api/securing-requests
You need to disable Require App Secret in facebook app advance settings.
While not an actual answer to your question (since it doesn't involve the Android SDK), it seems that, as of March 2018, there still are some issues regarding the appsecret_proof and calls from web page (Javascript) / and possibly mobile (not sure about that) clients.
Facebook bug report (February 2018) - issue reappeared
Facebook bug report (October 2016)
Facebook bug report (February 2015)
That is, for an application with Require App Secret enabled App Dashboard > Settings > Advanced > Security > Require App Secret, it seems that one cannot perform API calls from Javascript without passing the appsecret_proof - at the moment of writing (March 2018).
Quick "fix" - disable the flag. Depending on the requirements, one may also choose to have two Facebook applications: one for web page / mobile calls (flag disabled), and one for server side calls (flag enabled).
