I know that in the last update of Facebook API, there exists the possibility of provide a appsecret_proof that is the access token signed with the app_secret.
Now the problem is that, irregardless of the option that I set on my facebook app (enable\disable : Require AppSecret Proof for Server API calls) I always get:
Invalid appsecret_proof provided in the API argument
I discovered that last version of php-facebook-sdk always inserts between parameters appsecret_proof
...
if (isset($params['access_token'])) {
$params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
}
...
protected function getAppSecretProof($access_token) {
return hash_hmac('sha256', $access_token, $this->getAppSecret());
}
...
If I disable the check on my app, and comment the line that inserts the parameter, everything works fine, otherwise I get the error.
Now, where am I wrong? I triple checked $access_token, $this->getAppSecret() and the doc, all seem correct. Any clues?
I was finally able to get rid of the error by just granting permissions to everything.
Put your mind to work from the easy to the complex solutions of a problem. In this specific case, what I would first do is double (triple) check my: App-ID, App-Secret, API-Version (all 3 provided in the App Dashboard) and Access token (Tools & Support > Graph API Explorer).
For me the missing part was the access token. Make sure that under Graph API Explorer, find the dropdown on the right and choose your registered application name, instead of the default value of "Graph API Explorer".
So after all your code should look like this (Graph v2.4):
$fb = new Facebook\Facebook([
'app_id' => $app_id,
'app_secret' => $app_secret,
'default_graph_version' => $api_version
]);