why do I get "Invalid appsecret_proof provided in the API argument"
There is a bug in the Facebook SDK. After 20 hours of trying everything to debug my own code (which had no issues!), I commented this out in base_facebook.php:
/* Commented out by SJ
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
*/
And all the problems went away!
The error is (based on my experience) almost certainly correct; it means you're proving an invalid appsecret_proof with your API call
Assuming you're using the standard PHP SDK without modifications, the most likely reasons for this are:
- You configured the wrong app ID in the SDK code
- You configured the wrong app secret in the SDK code
- You're trying to use an access token from the wrong / another app
Another potential cause of the "Invalid appsecret_proof ..." error, is a user access token that is not associated with an app. If you are generating a user access token using the graph explorer, make sure to select an app from the dropdown on the top right corner. Otherwise, you will be generating tokens that only work within the graph API explorer.
I filed a bug with the Python SDK before I caught my mistake. GUIs are the devil.
No bug in the latest version of the facebook PHP SDK. You need to create appsecret_proof as per the docs:
$appsecret_proof= hash_hmac('sha256', $access_token, $app_secret);
then pass it as a parameter to your api call.
See the docs here: https://developers.facebook.com/docs/graph-api/securing-requests/
Once I did this all was good and I didn't have to hack base_facebook.php