Our LinkedIn APP no longer works with the evolution of V2. I have tried a couple of times and failed to create the correct token. I am seeking help to create the correct authorization link to get the token. Error from the App is currently "Empty oauth2 access token"
I created a new LinkedIn app to replace our old one. I have tried to follow the instructions from LinkedIn and Microsoft but my efforts have produced the following error
My most recent attempt was:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=78xaqf0ereiisy&redirect_uri=https://www.gachina.com&state=gachina&scope=r_emailaddress r_liteprofile w_member_social
I received: https://www.gachina.com/?code=AQS65Njp1F9-L-mKSrAJKZeQ-ij2OX7wboTc30-hrfQIwwJ0yfWd4FBqxLl-ZXHmL5HurKud4t9WcGeHB62EfPNcy3ddoqT1LztUHhR59iL-Q8f9WLrX03d9e3OCTmY-3vR8a_4ENeIN0GFpeLy7DKRDmuUNcQ82UwScqhApdtwzEBw-_Y0duYG87Lc1KQ&state=gachina
then I used the format shown here:
https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow
https://www.linkedin.com/oauth/v2/accessToken?grant_type=authorization_code&code={authorization_code_from_step2_response}&redirect_uri=hhttps%3A%2F%2Fdev.example.com%2Fauth%2Flinkedin%2Fcallback&client_id={your_client_id}&client_secret={your_client_secret}
with
https://www.linkedin.com/oauth/v2/accessToken?grant_type=authorization_code&code=AQS65Njp1F9-L-mKSrAJKZeQ-ij2OX7wboTc30-hrfQIwwJ0yfWd4FBqxLl-ZXHmL5HurKud4t9WcGeHB62EfPNcy3ddoqT1LztUHhR59iL-Q8f9WLrX03d9e3OCTmY-3vR8a_4ENeIN0GFpeLy7DKRDmuUNcQ82UwScqhApdtwzEBw-_Y0duYG87Lc1KQ&redirect_uri=https://www.gachina.com/auth/Linkedin/callback&client_id=78xaqf0ereiisy&client_secret={client_secret}
but I receive the following upon submitting the above link with our {client secret} in place
{"error":"invalid_redirect_uri","error_description":"Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"}
I am doing all of this within minutes. So, I do not believe there is an expiration of code.
Can you help identify the error of steps or code to receive a Token?
This will return the access token
$params = array('grant_type' => 'authorization_code',
'client_id' => $this->api_key,
'client_secret' => $this->api_secret,
'code' => $_GET['code'],
'redirect_uri' => base_url().$this->redirect,
);
// Access Token request
$url = 'https://www.linkedin.com/oauth/v2/accessToken?' . http_build_query($params);
$data_len = strlen(http_build_query($params));
// Tell streams to make a POST request
$context = stream_context_create(
array('http' =>
array('method' => 'POST','header'=> 'Content-Length: 0'
)
)
);
// Retrieve access token information
$response = file_get_contents($url, false, $context);
$token = json_decode($response);
return $token->access_token;
Related
My website already has universal analytics and we are displaying different analytics profile data on our dashboard by authenticating users. Because each user will have access to a different analytics profile. So the steps we follow in UA are,
Ask the user to authenticate.
Get auth code and create an access token.
Passing access token to listManagementProfiles API to get the list of profiles for the authenticated user.
Based on the selected profile we display the analytics data. (we use google service analytics library)
sample code:
if (!class_exists('Google_Client')) {
require_once '/lib/google-api-php-client-master/src/Google/Client.php';
require_once '/lib/google-api-php-client-master/src/Google/Service/Analytics.php';
}
$this->client = new Google_Client();
$this->client->setApprovalPrompt('force');
$this->client->setAccessType('offline');
$this->client->setClientId('************');
$this->client->setClientSecret('*************');
$this->client->setRedirectUri('*****************');
$this->client->setScopes('https://www.googleapis.com/auth/analytics');
$this->client->setDeveloperKey('*************************');
$this->service = new Google_Service_Analytics($this->client);
$accessToken = $this->client->authenticate($authCode);
if ($accessToken) {
$this->client->setAccessToken($accessToken);
return true;
} else {
return false;
}
Where I'm stuck?
I've checked for the GA4 documentation and followed the steps provided in the doc. I have created the account/property for GA4 in one of my google accounts.
I then enabled the analytics service from google console.
Created service account.
Downloaded JSON file.
Downloaded the google admin client library from here
GA4 sample code:
require 'vendor/autoload.php';
use Google\Analytics\Admin\V1alpha\AnalyticsAdminServiceClient;
use Google\Analytics\Data\V1beta\BetaAnalyticsDataClient;
use Google\Analytics\Data\V1beta\DateRange;
use Google\Analytics\Data\V1beta\Dimension;
use Google\Analytics\Data\V1beta\Metric;
putenv('GOOGLE_APPLICATION_CREDENTIALS=config.json');
$client = new AnalyticsAdminServiceClient();
$accounts = $client->listAccountSummaries();
But this does not require the access_token and without an access token, it allows to fetch the accounts lists. I don't want the manual process of giving access to the service account for each analytics account.
I want my user to authenticate to my website and then only do the rest process based on it.
How can I achieve that?
I also read something that GA4 does not have profiles(views), then how can I access the profile data in GA4? do I need to list down the accounts/properties list to the user for selection?
I need the referral, organic search, users, and session data on my website. What endpoint of GA4 provides this data?
Any other library do I need to use?
I think you are close. You are just mixing oauth and service account.
With your UA analytics code you are using the Google analytics reporting api / google analytics management api to request access of the user to access their Google analytics accounts. You are currently using Oauth2 to request access of a user to access "their" google analytics accounts. These are accounts that they control.
With your GA4 accounts you are connecting to the google analytics admin api though you are currently using a service account.
Service accounts must be pre authorized. They are intended for use with accounts that the developer owns. You need to swtich it to use Oauth2 and not a service account. This way the users will be authenticated to their own account.
Google analytics admin Oauth2
Here is a sample with Oauth2.
<?php
// composer composer require google/analytics-admin
require 'vendor/autoload.php';
use Google\Client;
use Google\Analytics\Admin\V1alpha\AnalyticsAdminServiceClient;
putenv('GOOGLE_APPLICATION_CREDENTIALS=C:\YouTube\dev\credentials.json'); // Installed app credentials.
$credentials = getenv('GOOGLE_APPLICATION_CREDENTIALS');
$myfile = file_get_contents($credentials, "r") ;
$clientObj = json_decode($myfile);
$client = getClient();
$tokenResponse = $client->getAccessToken();
print_r($tokenResponse);
print_r($tokenResponse["access_token"]);
$service = new AnalyticsAdminServiceClient( [
'credentials' => Google\ApiCore\CredentialsWrapper::build( [
'scopes' => [
'https://www.googleapis.com/auth/analytics',
'openid',
'https://www.googleapis.com/auth/analytics.readonly',
],
'keyFile' => [
'type' => 'authorized_user',
'client_id' => $clientObj->installed->client_id,
'client_secret' => $clientObj->installed->client_secret,
'refresh_token' => $tokenResponse["refresh_token"]
],
] ),
] );
$accounts = $service->listAccounts();
foreach ($accounts as $account) {
print 'Found account: ' . $account->getName() . PHP_EOL;
}
function getClient()
{
$client = new Client();
$client->setApplicationName('Google analytics admin beta Oauth2');
$client->setScopes('https://www.googleapis.com/auth/analytics.readonly');
$client->setAuthConfig(getenv('GOOGLE_APPLICATION_CREDENTIALS'));
$client->setAccessType('offline');
// Load previously authorized token from a file, if it exists.
// The file token.json stores the user's access and refresh tokens, and is
// created automatically when the authorization flow completes for the first
// time.
$tokenPath = 'tokenAdmin.json';
if (file_exists($tokenPath)) {
$accessToken = json_decode(file_get_contents($tokenPath), true);
$client->setAccessToken($accessToken);
}
// If there is no previous token or it's expired.
if ($client->isAccessTokenExpired()) {
// Refresh the token if possible, else fetch a new one.
if ($client->getRefreshToken()) {
$client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
} else {
// Request authorization from the user.
$authUrl = $client->createAuthUrl();
printf("Open the following link in your browser:\n%s\n", $authUrl);
print 'Enter verification code: ';
$authCode = trim(fgets(STDIN));
// Exchange authorization code for an access token.
$accessToken = $client->fetchAccessTokenWithAuthCode($authCode);
$client->setAccessToken($accessToken);
// Check to see if there was an error.
if (array_key_exists('error', $accessToken)) {
throw new Exception(join(', ', $accessToken));
}
}
// Save the token to a file.
if (!file_exists(dirname($tokenPath))) {
mkdir(dirname($tokenPath), 0700, true);
}
file_put_contents($tokenPath, json_encode($client->getAccessToken()));
}
return $client;
}
Note this is a console app, not a web app. You may have to tweek it to work with web but you should just be able to copy your UA auth code and dump the tokens in as i have shown here.
Code shamelessly copied from Simple How to Integrate php with Google analytics admin api.
To fetch Account Summaries using Access Token, you can use Google APIs Client Library for PHP
Here is the working code
<?php
require_once 'vendor/autoload.php';
use Google\Client;
use Google\Service\GoogleAnalyticsAdmin;
$access_token = 'ya29.xxxxxxx';
// Init Google Client and Set Access Token
$client = new Client();
$client->setAccessToken($access_token);
// GA Admin Service
$service = new GoogleAnalyticsAdmin($client);
// Fetch Account Summaries
$summary = $service->accountSummaries->listAccountSummaries();
// Output
print_r($summary->toSimpleObject());
Output
stdClass Object
(
[accountSummaries] => Array
(
[0] => stdClass Object
(
[account] => accounts/XXXXXXX
[displayName] => XXXXXXX
[name] => accountSummaries/XXXXXXX
[propertySummaries] => Array
(
[0] => stdClass Object
(
[displayName] => XXXXXXX GA4 Property
[parent] => accounts/XXXXXXX
[property] => properties/XXXXXXX
[propertyType] => PROPERTY_TYPE_ORDINARY
)
)
)
[1] => stdClass Object
(
[account] => accounts/XXXXXX
[displayName] => XXXXXXX accounts
[name] => accountSummaries/XXXXXX
)
)
)
I have created a Slack app with an incoming webhook and slash command. The OAUTH process works as expected and I am able to successfully deploy the app, retrieve and store the app token.
I have created and sent a message (with interactive buttons) into Slack, via the app's incoming webhook. The problem is that the buttons do not operate, and generate an error message within the Slack channel.
Having read as much of the Slack docs as I can find, I note that bots sending in messages to Slack are required to include the app token in the message. I read the webhook docs in detail however and could not find a similar requirement. The webhook guide just mentions the JSON format needed but nothing re the app token. Am I missing something? The guide clearly states that webhook messages can include interactive buttons, yet the button just doesn't work. I'm creating the response as follows:
$actions = [
[
"name" => "save",
"text" => "Save",
"type" => "button",
"value" => "save"
]
];
$attachments = [
[
"fallback" => "fallback message",
"title" => "Attachment 1",
"text" => "foobar attachment",
"color" => "#0066ff",
"callback_id" => "btn_action",
"actions" => $actions
]
];
$payload = [
"channel" => "#test",
"response_type" => "ephemeral",
"icon_emoji" => ":rocket:",
"username" => "Test User",
"attachments" => $attachments
];
$data = 'payload=' . json_encode($payload);
$ch = curl_init($webhook);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
Would love any advice about how to resolve!
Cheers,
Andrew.
I had this same problem and it was due to using a slack token that was different from the one generated when I authorized my app. I expect that slack can only identify the app if it has bot token that is unique to that app. Unfortunately, it was a non-trivial process to get this new bot access token. I'll outline it below:
Select your app and the 'bot' checkbox in the "Add the Slack button"
section of https://api.slack.com/docs/slack-button.
Paste the url it generates in the 'a' element into your browser and then authorize yourself.
Collect the code token that it adds to the url when it tries to redirect back to your application.
Use the code token to fetch the bot_access_token for your app. I already had a python app using slack for oath-based login so I just modified that, but with python slackclient the code would look like this:
SlackClient("your api token").api_call(
'oauth.access',
client_id="your app client id",
client_secret="your app client secret",
code="the code token")
I think it works this way because 3rd-party integrations just store the bot_access_token per team and use it later. In my case, I just wanted to stuff the bot access token an environment variable for my app, which will never be in the public slack app directory. I'd love to know about an easier way to get a bot access token, so please let me know if you find one. Hope this works for you, Andrew.
Using the standard endpoint for FOSOAuthServerBundle (with FOSUserBundle), I can retrieve an access and refresh token by providing a client_id, client_secret, user and password combination. The response looks like this:
{
"accessToken": "YTg2ZTJkNTY2MGM5MGQyNzZjYjkyZWMwYzg1YTZmZTZmOTIyMzAxNDY2MTkwZDU5ODYzZTAzYmIyNDI0YTQ4ZQ",
"expiresIn": 3600,
"tokenType": "bearer",
"refreshToken": "OTU1MGZhNDQ2ODFkZDUzMmQ4Y2FhNTk5OWM0NWFlNDk0YTY0ZDZhOTRjZTUwM2JlYTE3MDkxYzU3ZWY1OGRkYQ"
}
My question is, how can I retrieve similar data programmatically by passing in the client and user credentials? I.e. How can I make the same call from another part of my application without going via HTTP (slow), but rather directly via the bundle code (fast)?
I'm sure there must be an easy way of doing this, but the best I can find so far is this https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/347 which doesn't really achieve the same thing as the HTTP call.
Here is how you can get the same response directly from the fos_oauth_server.server service using a request object:
$grantRequest = new Request(array(
'client_id' => $clientId,
'client_secret' => $clientSecret,
'grant_type' => 'password',
'username' => $username,
'password' => $password
));
$tokenResponse = $this->get('fos_oauth_server.server')->grantAccessToken($grantRequest);
$token = $tokenResponse->getContent();
My understanding is that you're using password grant type. This would require that your application knows a user and password pair to get a token. I would suggest instead to use client_credentials grant type.
Using the FOSOAuthServerBundle you should be able to get an access token with something like (in a ContainerAware context)
$this->get('fos_oauth_server.server')->grantAccessToken($request)
Here as you can see a Request object is required, but you can forge this object easily
In alternative you could try
$this->get('fos_oauth_server.server')->createAccessToken($client, null)
Where $client is an instance of you OAuth client.
I'm searching for a solution to receive a Bearer token from an API using username and password.
Right now I'm reading the token through Chrome and extract my data, which is less then ideal of course.
I tried with httr and curl to optain through R and receive the Bearer token, but i think i am quite lost.
I think it should be quite simple, from the login information i gathered the mask from the login as
{"username":"name","password":"pw"}, shouldn't this just work with the POST command and the right headers?
POST(url="api_login",config=add_headers(c("username: name"
,"password: pw")))
Doesn't work at all. I can provide the example for php which looks like this:
<?php
// Include Request and Response classes
$url = 'url';
$params = array(
'username' => 'sample_username',
'password' => 'sample_password'
);
// Create a new Request object
$request = new Request($url, 'POST', $params);
// Send the request
$request->send();
// Get the Response object
$response = $request->getResponse();
if($response->getStatusCode() == 200) {
print_r($response->getBodyDecoded());
}
else {
echo $response->getStatusCode() . PHP_EOL;
echo $response->getReasonPhrase() . PHP_EOL;
echo $response->getBody() . PHP_EOL;
}
?>
As I'm not very familiar with php i would be very pleased for any help or a guide into the right direction. I searched hours
for API access through R but everything looks very specific to a special login.
I figured out this API uses a deprecated version of Swagger, if this is any useful information.
Thats what I'm doing atm, login with the website and read the token out of my browser. I want to login from inside R, sorry if I wasn't clear.
I updated my code now to:
opts=curlOptions(verbose=TRUE,
ssl.verifypeer = T)
postForm(url,
"username:" = uname, "password:"=pswd,
httpheader = c('Content-Type' = 'application/json', Accept = 'application/json'),
.opts=opts,
style='POST'
)
Which results in an error: SSL certificate problem: self signed certificate in certificate chain.
I tried a lot of different certificates with 'cainfo' inside the argument but can't make it work.
This is for a canvas app on the Facebook Platform using the new(est) Facebook PHP SDK.
We are using the PHP example from the Facebook tutorial (https://developers.facebook.com/docs/appsonfacebook/tutorial/) to trigger the OAuth dialog and get the test user to the redirect URL.
At the redirect URL, we use the PHP example from the Facebook signed request docs page (https://developers.facebook.com/docs/authentication/signed_request/) and our test users can successfully authorize the app.
However, after the test user auths the app, we are not able to capture the access token and its expiration. We can see it in the address bar appended to the redirect URL, but it does not show up in the $_REQUEST array. If we add {$access_token = $facebook->getAccessToken();} to the redirect URL page, it shows a value for the access token, but the value it shows is not the full token string that we see when we click on Show Token in the Test User Roles page (which we believe is the correct access token for the test user).
Here is an example of the redirect URL with an access token appended:
http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php#access_token=126736467765%7C2.AQDavId8oL80P5t9.3600.1315522800.1-100002908746828%7CJICJwM1P_97tKmqkEO5pXDCf-7Y&expires_in=6008
Here is what var_dump shows for the $REQUEST array for that same page:
array(3) { ["_qca"]=> string(26) "P0-709927483-1291994912966" ["__switchTo5x"]=> string(2) "30" ["PHPSESSID"]=> string(26) "euois02ead39ijumca7nffblh2" }
We have no idea why the $_REQUEST array varies from the values appended to the URL, and more importantly -- how to capture the access token and its expiration date.
Can someone show us a working example of how they capture this data after running the parse_signed_request($signed_request, $secret) function on the redirect page? Thanks!
ADDITIONAL INFO:
Here is the pertinent code from A) our test index page, and B) our test redirect page. If we use our text index page as the redirect url it gets stuck in an endless loop -- because the user is never identified.
A) Index Page
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
'oauth' => true,
));
$app_id = KKFB_ID;
$secret = KKFB_KY;
$canvas_auth = 'http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php';
$auth_url = "https://www.facebook.com/dialog/oauth?"
. "client_id=" . $app_id
. "&redirect_uri=" . urlencode($canvas_auth)
. "&response_type=token"
. "&scope=email,publish_stream";
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if (empty($data["user_id"])) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $data["user_id"]);
}
B) Redirect Page
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
'oauth' => true,
));
$app_id = KKFB_ID;
$secret = KKFB_KY;
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
$user = $facebook->getUser();
$access_token = $facebook->getAccessToken();
echo "User: $user <br>";
echo "Access Token: $access_token <br>";
echo "Signed Request: $signed_request <br>";
var_dump($_REQUEST);
Here is what shows up as these echo results:
User: 0
Access Token: 126736467765|**SECRET**
Signed Request:
array(3) { ["_qca"]=> string(26) "P0-709927483-1291994912966" ["_switchTo5x"]=> string(2) "30" ["PHPSESSID"]=> string(26) "frugi545cdl15gjind1fnv6pq1" }
Interestingly, when the test user goes back to the index page the if condition is satisfied and we can get the correct access token:
Welcome User: 100002908746828
Access Token: 126736467765|2.AQBgcyzfu75IMCjw.3600.1315544400.1-100002908746828|m5IYEm976tJAkbTLdxHAhhgKmz8
Obviously, we are still missing something!? Also, we need to learn how to get the expiration time as a variable too so we can store both of these in our database.
OK, let's try this again.
Server-side vs Client-side Authentication
You are exclusively using the PHP SDK, so you want to do server-side authentication, where the authentication code is sent to the server over HTTP via the URL. This will allow you to fetch an access token for the user on the first page load after auth (in your case, the redirect page). The auth_url you are currently constructing is setting response_type=token, which forces the redirect to use client-side auth mode and set the token in the URL fragment instead of in the query. You should remove that parameter completely. In fact, I highly recommend you just use the PHP SDK instead of constructing that URL yourself. See example below.
Application Access Tokens
The odd-looking access token 126736467765|SECRET is your application access token, which is composed of your app ID and secret key. The application access token is returned by getAccessToken() if no user access token is available (because some API calls require at least some sort of access token). This also means that you've revealed your secret key to the world via this blog post, so you should reset your app secret otherwise anyone will be able to make API calls on your behalf. I highly recommend you elide parts of your access tokens if you share them with others.
Token Expiration
The OAuth 2.0 flow and v3.1.1 of the PHP SDK don't make determining the expiration time of a token all that easy. I would suggest attempting to make the API call, and then refreshing the token if the API call fails with an OAuthException. Tokens can be invalid even if they haven't expired, so this deals with more cases. However, if you still want to maintain the expiration date on your end, you might just want to extract it from the token itself. If you have an expiring token, then the expiration timestamp will be contained within that string. Here's a function I put together quickly to extract that:
function extractExpirationFromToken($access_token) {
$segments = explode('|', $access_token);
if(count($segments) < 2) { return 0; }
$segments = explode('.', $segments[1]);
if(count($segments) < 4) { return 0; }
$expires = $segments[3];
$dash_pos = strrpos($expires, '-');
if($dash_pos !== false) {
$expires = substr($expires, 0, $dash_pos);
}
return $expires;
}
New Index Page Code
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
));
$canvas_auth = 'http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php';
$auth_url = $facebook->getLoginUrl(array(
'scope' => 'email,publish_stream',
'redirect_uri' => $canvas_auth, // you could just redirect back to this index page though
));
$user = $facebook->getUser();
if (empty($user)) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $user);
}
Redirect Page
I don't think you need this page at all. You could just redirect the user back to your original index page.
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
));
$user = $facebook->getUser();
$access_token = $facebook->getAccessToken();
// also copy the function definition given earlier
$expiration = extractExpirationFromToken($access_token);
echo "User: $user <br>";
echo "Access Token: $access_token <br>";
echo "Expiration: $expiration <br>";
echo "Request: <br>";
var_dump($_REQUEST);
You can use the facebook build in method getAccessToken() for example;
$access_token = $facebook->getAccessToken();
This will give you the access token to your variable, now if you are getting it empty, remember to first check if the fuid is being properly catch, if it isn't you might need to review your settings be sure your "App Domain" is set this part is very important after setting it correctly you need to reset your app secret, then set your new values in your auth code. Hope this help, let me know :)
pd. Also remember to keep the scope of your variables visible in your whole php file or class.
Problem
The access_token in your pasted URL is not part of the query string, but instead contained in the URL fragment (after the #). URL fragments are not sent to the web server, and are readable only by client-side code like Javascript. Therefore the PHP SDK only sees http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php, which is why $_REQUEST does not contain an access_token key.
Questions / Notes
What are you using for your redirect_uri? I think you want to be using something like http://apps.facebook.com/your_canvas_url/
You shouldn't need to call parse_signed_request yourself or copy any code from the signed request page. The PHP SDK will do that for you. Just call:
$facebook = new Facebook(array(
'appId' => '…',
'secret' => '…',
));
$access_token = $facebook->getAccessToken();
Possible solutions
Also use the Facebook Javascript SDK. You can start by adding its <script> tag in your destination page (kk-fb-auth.php) (see the docs for full details; don't forget to set oauth: true). The JS SDK should set a cookie (named fbsr_126736467765) which the PHP SDK will be able to read via $_REQUEST or $_COOKIE on subsequent page loads.
If you want to do this with PHP, you can get the user's access token with a separate call to the Graph API at your redirect_uri. For this you need to change the response_type of your $auth_url in your index page to "code" or "code token".
Then, at your redirect page, Facebook will add a "code" parameter in the querystring. This API call will return you the full access_token and expiration time:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&
redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&
code=$_REQUEST['code']
For more information you can refer to the docs on authentication.