Friday, December 17, 2010

Facebook apps on App Engine without any third party API

12/17/2010 UPDATE

A lot of people found this blog posting because as we go through the authorization process, our users end up getting a "go to" logo presented to their users when they first give their users a link to click on to authorize. This is happening because you need to put a target="_top" in the link.  I kid you not, if the user clicks on a link in your welcome page and they get a "Go to" message before they can go to the authorization screen, it's because you need to set target=_top in the link.  

It was a frustrating week or two while I tried to integrate Facebook into the google app engine. My goal was to use App Engine as my back end and Facebook as my front end for my apps.  I wanted users to add my app to their Facebook profile and grab a non-expiring oauth token for that user so I could access their Facebook data even when they were not using my app.  

The most important thing to know about doing this today is that any of  the third party apis like FaceBook4J jars are all completely useless here. Facebook exposes everything about a user using the graph api that can be accessed using http requests and getting json data back.  Trying to use these with app engine and the Google web toolkit will end up having you run into problems with libraries not being supported on either the server side or gwt client.  You don't need em - understanding oauth and urlfetch on app engine is all you need.

This blog posting covers the process of loading up your app in a Facebook canvas, getting the OAUTH token for your user, and then interacting with the Facebook graph API to get JSON data back from facebook for your user. All without any third party apis, SDK or anything else. I'll take you all the way to getting the current user's email. 

The only major assumption i'm making on this posting is that you are someone who is developing Java App Engine programs in the same way as the Google Stock Watcher tutorial

So, you are familiar with the client / server namespaces and calling servlets from client interfaces to server side implementations. 

The first thing you need to do is set up a developer account and APP and on Facebook. Go to and set up a new application. You're going to need your app secret, api key and app ID.

Now, take the time to read over this manual (SERIOUSLY!) it explains the Facebook standards for the graph api

Then go to app engine and create your corresponding app engine app.

I'm going to assume you also have eclipse IDE with the app engine add on and are able to create a new web application project and deploy it. 

Just for fun, I made an app on Facebook called Lucid Bubble, it's a simple dream journaling program that lets you record your dreams, tag your friends who are in the dream and post to the news feed about it. Not an app i would use every day but there seemed to be a demand for it. It also used app engine's mail hander so you can email a dream using your phone at bedside and post that way. 

Here is a screen shot of the end result: A nice app running inside a facebook iframe and using GWT, Google Charts and Facebook graph api data. The url for this app is and it's being pulled from

Facebook App Settings:

Back on the Facebook app setting page. You can temporarily set the canvas URL to Later, you'll set that to your your deployed url on appspot.


I'm going to walk through the code that is first executed on the app engine entry point - OnModuleLoad() and the process of getting a code parameter, passing that code to the server side, doing oauth to get a user token and then requesting from facebook user data. I'm going to stop abruptly there because at that point you have everything you need to take to facebook from app engine.

When Facebook loads your app for the first time, it is the raw URL The first challenge is getting the code url parameter. 

Annoying Undocumented Facebook Behavior #1:

What is extremely annoying about this is that the Facebook docs tell you that to get the code you need to "Redirect the user to the authorization URL" but you can't redirect users in the iframe! If you do, you get an annoying and uninformative Facebook error page that says: "Go to" and when you click it, you actually go on to the authorization URL.  You also need to make sure you set the target=_top in your link

Ok, enough ranting, here is the client code: To break this down,  onModuleLoad() checks to see if the code is in the url parameter. If it is, we send the code to the server side for oauth processing (posted further down). If we do not have the code, we need to present the user with a welcome screen that has a link they can click on to go to add the app or authorize it. You can't just redirect the user to that url which would be nice.

private void loadWelcome()
//3: build a welcome page with a link to the authorise url
ContentPanel panel = PanelLibrary.VPanel();
viewport = new Viewport();
viewport.setLayout(new BorderLayout());
Anchor h = new Anchor();
h.setText("Click here to open your dream journal");
panel.add(h, new RowData(-1, -1, new Margins(5,10,0,0)));  

public void onModuleLoad() {

//1: do we have a code in the url?

final FaceBookServiceAsync facebookService = GWT.create(FaceBookService.class);
String  code = Location.getParameter("code");
if ( code == null)
//2: no, we need to bounce off the authorise url
//4: we must be back from the authorizes url, we have a code in the url - pass the code to the servlet:

facebookService.facebookLogin( code,Facebook.getClientId(), Facebook.getLoginRedirectURL(), Facebook.getSecret()  ,  new AsyncCallback(){
public void onFailure(Throwable caught) {
public void onSuccess(String email) {
private void loadLayout(String email) {
//5: all is well, load my app UI

LoadLayout is of course where your app starts to build the user interface, now that you have access to the users graph.

Here is the class I use for getting my api key, secrets and authorisation url, which is the first step to doing oauth.  Remember:  The redirect_URI must end with a /  and match the uri in your Facebook connect setting on the facebook app setting page. Also,

Annoying Undocumented Facebook Behavior #2

The redirect URI has a scope parameter that specifies what permisions your app needs, If you change these, Facebook may return an oauth token later in an unexpected format. I recomend you keep them the way I post them here and tweak them after you get everything working. Change anything below at your own risk, pay attention to trailing / and other params that will break your app. Make sure redirect_uri matches your app settings.

public class Facebook {
    // get these from your FB Dev App
    private static final String api_key = "1088xxxxxxx774d5ce9";
    private static final String secret = "secretkeyhere";
    private static final String client_id = "1530xx000432613";  
    public static String getClientId() {
return client_id;
    private static final String redirect_uri = "";
    public static String getAPIKey() {
        return api_key;
    public static String getSecret() {
        return secret;
    public static String getLoginRedirectURL() {
        return "" +
            client_id + "&display=page&redirect_uri=" +
    public static String getAuthURL(String authCode) {
        return "" +
            client_id+"&redirect_uri=" +

So far:

1. Your app should load and preset the user with a link to the authorization URL.
2. They'll then be sent back to the same page
3. OnModuleLoad will fire again but this time we'll have the code.

Everything else happens on the server all the way up to storing the users permanent OAUTH token and getting their Facebook info. This is all happening in my class that is called asynchronously from the module above. I'm assuming you know how to do this because you have gone through the app engine stock watcher tutorial :-)

 Get The Oauth Token.

With the code in hand, this is all you need to do to get the oauth token for a user on the server:

public String getToken(String code, String ClientID, String redirectURL, String secret)
String encodedCode="";
String retStr;
try {
encodedCode = URLEncoder.encode(code, "UTF-8");
String u1 = "" +
"client_id=" +  ClientID + "&" +
"redirect_uri=" + redirectURL + "&" +  
"client_secret=" + secret + "&" +
"type=user_agent&" +
"code=" + encodedCode;
retStr = fetchURL(u1);
} catch (UnsupportedEncodingException e) {
retStr = null;
return retStr;


Pass to this function your client id, the same redirect url and secret stored in the Facebook class above. The exact same parameters you used in the client code to get the code. This function is using a generic function I wrote for taking any url, posting it and getting the result. Here is that function fetchURL:

private String fetchURL(String u) 
String retStr = "";
           URL url = new URL(u);    
           BufferedReader reader = new BufferedReader(new InputStreamReader(url.openStream()));
           String line;
                while ((line = reader.readLine()) != null) {
            retStr += line;

       } catch (MalformedURLException e) {
           // ...
       } catch (IOException e) {
           // ...
return retStr;


Annoying Undocumented Facebook Behavior #3

Facebook does not return the plain oauth token, rather it returns the token like this: access_token=jhjvk... with the oauth token after the equals sign. If you want to use the token, you have to make sure it is url encoded. You'll see in my code here a simple function to use the token in this format, but removing the access_token= part, encoding  it and then putting it back together.

private String urlEncodeToken(String unencodedToken)
  String[] s =unencodedToken.split("=");
String retStr = null;
try {
retStr = "access_token=" + URLEncoder.encode(s[1], "UTF-8");
} catch (UnsupportedEncodingException e) {
return retStr;


Here is the complete facebook login function being called from the client. You'll see i'm

1. Using the code to get the token (above)
2. Using the token to get the email from  (me represents the authorized user, so that's the URL you use to get the users currently on your app)
3. Downloading the JSON data using my fetchURL functon (above)

At this point you're good to go, you have the users data and can interact with the Facebook graph. I also:

4. Convert the JSON into an object using GSON (google json api). My FBUser class is just a simple class with properties that match the json (email, name strings with getters and setters)  and a no-param constructor)

public String facebookLogin( String code, String ClientID, String redirectURL, String secret) 
                 String meURL =   "";
String token = getToken(  code,   ClientID,   redirectURL,   secret);
String email = "";
   String jsonEmail = fetchURL(meURL + "?" +  urlEncodeToken(token)  + "&fields=email,name");
FBUser fbuser = gson.fromJson(jsonEmail, FBUser.class);
email = fbuser.getEmail();
  return email;


You can now post and get from any of the url's documented in the graph api docs. 

Friday, December 3, 2010

Authenticated Posts to App Engine Servlets

I thought I would take a moment to further document a Java class I wrote for taking a google account and password and then using it to make an authenticated POST and GET to a servlet hosted on app engine.

The process should be very simple:
1. Create an instance of my class with your appspot url and credentials.
2. Use that object to add the auth cookie to your http post and get requests.

The Source code to this class is part of Nimbits4J.jar that allows developers to record time series data to the Nimbits Server running on app engine.  Nimbits is an open source data logger that runs on App Engine - you can learn more about it on

The Source Code to Nimbits4J which contains the client classes is all posted under the GNU license version 3 on Google Code:

It contains a class called  that handled getting the token, extracting the cookie information, and so on.

To the code!

With or Nimbits4J.jar added to your project, setup these strings

        private final static String gaeAppBaseUrl = "";
private final static String gaeAppLoginUrl = gaeAppBaseUrl + "_ah/login";
private final static String googleLoginUrl = "";
private final static String service = "ah"; 

Create the singleton object, passing in the above params, the gmail account and password a very trusting user gave you like this:

        GoogleAuthentication G = GoogleAuthentication.getNewGoogleAuthentication();
        G.ConnectClean(googleLoginUrl, service,  gaeAppBaseUrl,   gaeAppLoginUrl,   email,   password);

In the Nimbits4J project there is also a class which contains methods for talking to the Nimbits Services, but they are simply passing the client object G and the path to the service on app engine, with the params.  The code in red is where the magic happens.  On the Server Side, any calls to: u = UserServiceFactory.getUserService();

will return a valid user in these requests.

public static String doGet(String serviceUrl, String params, GoogleAuthentication G)
throws IOException {
String retVal = "";

try {
  URL url = new URL(postUrl + "?" + params);  //for example

HttpURLConnection connection = (HttpURLConnection) url.openConnection();
if (G != null)
connection.addRequestProperty("Cookie",G.getAuthCookie().getName() + "=" +            G.getAuthCookie().getValue());
BufferedReader reader = new BufferedReader(new InputStreamReader(
String line;

while ((line = reader.readLine()) != null) {
retVal += line;

} catch (MalformedURLException e) {
throw e;

} catch (IOException e) {
throw e;

return retVal;


On the Server Side, your app engine should have your servlets mapped in the web.xml. A good sample of a service running on nimbits is here: