Sep 30, 2011

Handle Facebook OAuth authentication with Python SDK

Facebook OAuth 2.0 phases

I took the occasion of leaving Facebook to write a Python program to inform my Facebook friends on how to contact me after my farewell. Therefore, I learnt something new.
I would like to share with you how to manage Facebook OAuth steps using Python SDK, because I could not find a suitable well-written example on the Internet.

Let’s take a look at my access.py file. I stripped down some details in this post:

Let’s understand it. This class is responsible for handling the OAuth phases of authentications for FB, and is able to create and return an instance of facebook.GraphApi() ready to be used, because it’s authenticated by the user. The class variables just hold the API keys, the URI that Facebook needs to know for displaying the secret code to the user, the secret code inputted by the user after the permissions for the applications are gathered, and the final access token.

The constructor __init__() tries to get already stored secret codes and access tokens from my tiny database. I am omitting the details on how I implemented the tiny database but you can see this by looking at the source code of FacebookGreeter.

The following is a picture summarizing Facebook OAuth 2 authentication steps. It is taken from the developers page.

Facebook OAuth 2.0 phases

The authorize() method is responsible for getting User authorization to use the application and for gathering the secret code for getting access then. It opens a web browser and accesses /oauth/authorize, passing as parameters how to identify the application, the permissions requested to the user, and which callback URI must be called by Facebook in order to receive the secret code that the user must input. The lines of code related to os are needed in order to redirect standard output because of this issue. The secret code is then returned by this method.

The access_token() method is for getting the final access token from Facebook. As you note, it calls the previous method if the secret code has not been gathered yet. A call to /oauth/access_token is performed, including the same information plus the user provided secret code. Facebook will then return the so much desired access token and its expiration. In this tiny program I do not take care of the expiration because it was not needed for me. You should do.

Finally, the get_grah_api() method checks if an access token is present, otherwise it calls the previous method. You can notice the beauty of this reaction chain that ensures the present of the required data at each entry point. It returns an instance of facebook.GraphApi() that is authorized by the access token. This object is then used to query Facebook Graph Api (e.g., graph_api.get_object('/me/friends')['data'].

I hope that this post clarifies how to login/authorize a Python Facebook application using OAuth 2.0 protocol.

written by dgraziotin

Dr. Daniel Graziotin received his PhD in computer science, software engineering at the Free University of Bozen-Bolzano, Italy. His research interests include human aspects in empirical software engineering with psychological measurements, Web engineering, and open science. He researches, publishes, and reviews for venues in software engineering, human-computer interaction, and psychology. Daniel is the founder of the psychoempirical software engineering discipline and guidelines. He is associate editor at the Journal of Open Research Software, academic editor at the Research Ideas and Outcomes (RIO) journal, and academic editor at the Open Communications in Computer Science journal. He is the local coordinator of the Italian Open science local group for the Open Knowledge Foundation. He is a member of ACM, SIGSOFT, and IEEE.

  • Joep1 Feb 24, 2015 Reply

    Does this method still work with the latest facebook-sdk?

    • dgraziotin Feb 25, 2015 Reply

      Hi. I honestly have no idea, as I am not on Facebook since that time.

Leave a comment