In the aftermath of the Cambridge Analytica scandal, most social network platforms made changes to how third-party applications, like the Brandle Presence Manager, can access their APIs. One of the more challenging changes for corporate users is the necessity to provide more OAuth tokens, which must be of the right type, granted by the right person(s), and with the right permissions.
A token represents two things:
- the application has permission to make calls on behalf of the user/account (e.g. a User token for a Facebook account, LinkedIn account, etc.) or to access a particular point-of-presence or POP (e.g. a POP token for a Facebook page, Twitter account, etc.); and,
- a quota associated with that token (i.e., the amount of calls the application can make or data it can retrieve using that token).
In essence, these tokens govern what information a third-party application may access and how often.
Not all tokens are the same. Not only do they vary from platform to platform (e.g. Facebook vs. Twitter) but some platforms have multiple types. Twitter, for example just has one type of token, which is associated with an individual Twitter account (i.e. POP). Facebook, on the other hand, has two token types: User tokens and Page (POP) tokens. Note, that the Facebook Page tokens are often granted/accessed first by granting a Facebook User token -- the permission to use that POP token comes from its relationship to the User token (more below).
Twitter tokens, like some other platforms, are pretty simple. An entity just needs to provide enough tokens to meet the quota needs to monitor all of the POPs in inventory and search for each patrolled identity.
Facebook, however, is much more complex. Most of the Facebook API calls can be made with a User token and that token has to provide the Brandle Presence Manager the correct permissions (e.g. can see any company pages the user manages) and the Facebook user has to have sufficient permissions to access those pages. However, sometimes Facebook requires that the Brandle Presence Manager provide a page (POP) token to access certain information. For example, without the right token, the system cannot see which application was used to make a Facebook post, even if it can see the profile information and the posts themselves.
There is another aspect of Facebook tokens that is important to understand. As the Cambridge Analytica scandal exposed, Facebook tokens used to have an extremely long life – in effect, they never expired. This meant that once an application had been granted access it had access until someone explicitly revoked that access, which a recent study of ours showed, most people are not good at doing. To address this security risk, Facebook now requires that users demonstrate they are still using the application at least once every 60 days. The easiest way to do this is to use the "Sign-in with Facebook" to log into the Brandle Presence Manager. If Facebook does not see a log-in (or what we call a refresh) within that 60-day window, they will revoke data access until they see the user accessing the application again. While this can be annoying, we agree it is a reasonable precaution.
A word about quotas
A token's quota is something that is important to understand. Each platform puts limits on how many calls can be made to its API over some period of time and each platform is different. Some quota are based on the number of calls made, others based on the cumulative number of items (e.g. POPs) queried, and others based on the amount and type of data returned (e.g. Youtube). Looking across all platforms, it can seem rather complex as each platform is quite different.
It used to be that an application like the Brandle Presence Manager could make thousands of queries on behalf of a customer without supplying a customer's token or with just one token. However, in this new era, the platforms have become significantly more strict about when and how an application can access their data. Each API call is counted against a token's quota, which is why the system now warns you if you do not have enough tokens of the right type to discover and monitor for your entity.
How the Brandle Presence Manager uses tokens
Here are the most common activities for which the Brandle Presence Manager needs tokens, either to perform an action on behalf of a user or to retrieve data from a specific POP:
- Search a platform for a brand name or identity
- Retrieve profile information for a POP
- Retrieve posts made to a POP
- Identify the publication source of post made by a POP
- Access an Instagram Business Account connected to a Facebook page
Enabling User Tokens
To enable your User tokens, follow these steps:
- log in to the Brandle Presence Manager;
- click on your name from the Brandle menu bar (in the upper right corner);
- select "Manage My User Account" from the drop-down menu;
- choose the "Social Sign-On / User Tokens" tab from the side bar;
- click on any grey "Sign-on..." button under the "Enable/Disable" column to initiate the OAuth process;
- the system will redirect you to the platform, where you may be required to log in if you aren't already;
- after you are logged into the platform, it will ask if you wish to grant access to the Brandle Presence Manager and which permissions you wish to grant -- it is important you grant all permissions the we are requesting;
- on some platforms, you may also be prompted to select which POPs (e.g. Facebook pages), which you would also like to provided POP tokens for as well [See POP OAuth below];
- once you have approved the request, the platform will return control to the Brandle Presence Manager and provide the system with the appropriate token.
Not only will this provide a User token, it will enable you to log into the Brandle Presence Manager in the future using any of the social media accounts you enable. Note: if your company has enabled Single Sign-on (SSO a/k/a SAML) then even if you sign-on via a social platform (e.g. Facebook) you will still be redirected to your corporate identity server to complete the log-in process. In other words "social sign-on" cannot be used to circumvent your company's "single sign-on" process.
POP OAuth
Granting OAuth tokens for POPs is initiated differently from User tokens. In fact there are two different approaches: 1) one for permission-based platforms like Facebook and LinkedIn and 2) one for credential-based platforms like Twitter. Let's start with POPs on credential-based platforms:
POP OAuth for Credential-based Platforms (e.g. Twitter)
If you need to OAuth a POP (to provide a POP token) on a platform like Twitter, you simply need to find the POP in your inventory and choose "OAuth this POP" from the Action Menu (icon of three horizontal bars). This is will initiate the OAuth handshake with the platform and once complete, the token will be associated with the POP. At any time, you may then choose "Cancel OAuth" from the same Action Menu to destroy the token.
On some platforms, like Twitter, a POP token can be used like a User token to perform lookups not only for the POP with the token but for other POPs as well. On other platforms, the token's abilities may be limited to just the POP itself (see below).
POP OAuth for Permission-based Platforms (e.g. Facebook)
On permission-based platforms, like Facebook and LinkedIn, access to a POP token is acquired by first authenticating the user (i.e. granting a User token). A way of thinking about this is the OAuth process for a User account opens the door to grant individual POP tokens. For example, once you enable OAuth for your User account, Facebook will allow you to choose which pages will supply tokens to the Brandle Presence Manager.
Like with the other OAuth processes, you may be asked which permissions to grant to the Brandle Presence Manager. In every instance, we request the minimal set of permissions to perform the tasks necessary to keep your entity's inventory and discovery up to date.
There are a few details worth noting:
- If a POP for which you are granting a token is already in your inventory, the token will be linked to that POP.
- If you grant a token for a POP that is not in your inventory, the POP will not be created in your inventory. If you have POPs linked to your social media user account that you wish to import, use the "Import POPs" option from the "Tools" menu in the Brandle Menu Bar. This will create POPs for all selected POPs in your Inventory, acquire its token, and link the two together.
- On some platforms, like LinkedIn, the granted POP token can only be used to access that POP.
On some platforms, if the user who granted the POP tokens changes his or her password, the POP tokens may become invalidated. To remedy this situation, the User just needs repeat the User OAuth process.
Checking Token/OAuth Status
Checking User Tokens
You can see the status and health of your User tokens on your team tab:
- choose "Account" on the Entity Menu.
- select "Team".
You should then see the status of all User tokens in the "OAuth Tokens" column, next to the user to granted them.
Checking POP Tokens
For POP tokens, you will check their status and health in the Inventory table:
- choose "Inventory" on the Entity Menu;
- select "POPs";
- filter or search your inventory to find the POP(s) in question;
- choose a view that contains the "API" and "OAuth" columns.
The OAuth column will provide an indication of the health of the OAuth token and the last times the token was tested/used and how long it has been in its current state (e.g. the "Since:" timestamp). The API column will tell you if there were any issues accessing the POP either with a POP token or via a User token. If, for example, the OAuth token is valid but it does not have the correct permissions to access a particular POP, that information will appear in the API column.
Video
To see how to enable your User Tokens and OAuth POPs watch this video.
Note: In the above video, it appears that "Instagram is an option to enable user tokens. However, a recent change from Facebook now requires that an Instagram Business page be linked to a Facebook Business page in order to be monitored. So the Facebook tokens will allow monitoring on any Instagram linked page to that Facebook Page.
Comments
0 comments
Article is closed for comments.