I am creating long lived access tokens for my users when they first sign up for my app, this has been working fine for the past 6-8 months. Recently, the manage_pages permission was revoked from my app (when Graph API v8.0 was released) due to lack of use. It is true that we did not use this permission, but the reason we asked for it is because it was required for some of the calls we were doing to gather Instagram insights for our users when we first started. I don't know if this has anything to do with the issue but just including it anyways.
Now it seems that newly created access tokens are automatically invalid, this was never the case before. I run these access tokens through the access token debugger and get the following error:
Error validating access token: The user has not authorized application [MY_APP_ID].
It seems this problem slowly began to onset, and now every single new user on our app is experiencing this issue, even after granting us the following permissions:
public_profile
email
instagram_basic
instagram_manage_insights
pages_show_list
The permissions recently revoked from my app were:
pages_manage_ads
pages_read_user_content
pages_manage_metadata
Users go through the complete OAUTH flow, and when they are redirected to my site I create a long-lived access token but it seems the token does not recognize that the user had authorized my app, hence the reason it is invalid.
Here is my OAUTH Url for new users:
https://www.facebook.com/v5.0/dialog/oauth?client_id={{ settings.FACEBOOK_CLIENT_ID }}&redirect_uri={{ settings.FACEBOOK_REDIRECT_URL }}&state={{MY_STATE}}&return_scopes=true&auth_type=rerequest&scope=public_profile,email,instagram_basic,instagram_manage_insights,pages_show_list
You have to remove the manage_pages scope from your Facebook button code and replace it with the pages_show_list scope :)
Related
Based on the doc on Facebook page access token following steps are need to be taken to obtain a long-lived Page Access Token.
Extend the User's Access Token which has the manage_pages permissions
Get the page access token thru the /userId/accounts end point using the extended user access token.
This process is working fine and I am able to obtain and use the page access token properly.
The issue arises when the user grants a new permission to the App - such as 'publish_actions' to allow the App to post on the Page's timeline, the page access token obtained using the above mentioned mechanism does not work properly.
Until about a 6 to 8 weeks ago the new publish_action permission would allow the previously saved page access token to post on the page's timeline without any issue. This feature seems to have broken where I am getting the following error :
{"error":{"message":"(#200) The user hasn't authorized the application to perform this action","type":"OAuthException","code":200
When the access token is debuged using the Facebook debugger tool - it shows that the saved page access token is indeed embellished with the new permission as follows :
App ID XXXXXXXXXXXX : App Name
Profile ID 999999999999 : Page Name
User ID 9999999999999999 : User Name
User last installed this app via API v2.x
Issued 1454463877 (40 minutes ago)
Expires Never
Valid True
Origin Web
Scopes email, manage_pages, publish_actions, public_profile
So although this page token has publish_actions permission it is not able to post on the page's timeline. This has stopped working recently and looking for any other folks who have faced a similar issue and have managed to resolve it.
Btw, I have already tried refreshing the page access token using the newly generated user access_token at the time when the user gives the publish_actions permission. Going the thru the above 2 steps using the new user access token, seem to return the same page access token and it continues to fail to post on timeline...
Any help is much appreciated.
The issue was related to using incorrect permission. Facebook has introduced a new 'Publish_pages' permission which should be used to make posts on business pages. We were using publish_action which was invalid (since v2.3 or somewhere around that - we are using v2.5 of the graph API so it caused a problem).
Facebook responded pretty quickly to our bug report and provided this guidance which helped resolve this issue (I should have posted this answer earlier).
I have an application to manage a users Facebook notifications, the app requests offline_access as well as manage notifications permissions. My logs have been filling up with Facebook errors, I understand that the change password error is going to happen, but what I don't understand is why I am getting these errors:
Facebook Error: Error validating access token: Session has expired at unix time 1320012000. The current unix time is 1320191317.
Facebook Error: (#200) The "manage_notifications" permission is required in order to query the user's notifications.
They are occurring way too often to be users just rejecting the permissions and the access tokens that are expiring have expirations of 0
For future reference, offline_access has been removed, now it is possible to get an access_token with a life span of 2 months
https://developers.facebook.com/roadmap/offline-access-removal/
Are trying to use the user's token? Once you request offline access, you should "login" with your app to get it's own access token when you want to do something, not use the user's token that you saved. If that is what you are doing.
Scroll down to the part on this page labeled "App Login". That's how you are supposed to do things when user's are not present, not retain and use the user's token.
https://developers.facebook.com/docs/authentication/
I have recently started getting this error while posting to facebook newsfeed stream
of an app user,
I do have an offline access permission for the access tokens, and they worked
fine previously.
This error is coming for 30-40% of the users.
"Error validating access token: Session does not match current stored session.
This may be because the user changed the password since the time the session
was created or may be due to a system error."
It's possible for your access token to become invalid for a variety of reasons (expiry time passed, user changed password, user deauthorized your app, user logged out of Facebook, etc.). You should always design to account for this scenario.
If your users are active, it's easy to get a new access token from the OAuth endpoint without them having to do/see anything. If not, you should make a plan (such as emailing them) for how you will get them to return so you can get a new access token. The scenario you're describing is not necessarily unusual. You can find some code samples here for help on how to handle expired access tokens.
This is undocumented but I just tested it and it works with expired access tokens. Should work on access tokens that have been invalided if you know their user id, and they haven't revoked privileges to your app. First, you can verify that you still have have the permissions you need by calling using this url:
https://graph.facebook.com/userID/permissions?access_token=appID|appSecret
If you still have publish_stream permissions, you can issue a HTTP POST to this url:
https://graph.facebook.com/userID/feed
with post parameters of access_token=appID|appSecret&message=test message
There seem to be a lot of questions about why your token would have expired so quickly. I think I can shed some light on that. Here are a number of scenarios I have found which cause this:
There is the obvious one; the user changed his password. There is nothing you can do about this. They will need to reauthorize your app. The rest of these scenarios deal with page tokens, which are similar to a token for a user profile, except they come from querying /me/accounts with the user token of a valid administrator for the page. These seem to expire much more frequently.
It seems that if ANY administrator of a page changes their password (not necessarily the one who's token you are using), this can cause the token to expire. Also, if you have some pages in your system with the same administrator, calling /me/accounts often refreshes ALL of the tokens for the pages this user administrates. That means if you are connecting a new page for a user with existing pages, you will need to update the existing page tokens with the new ones provided by /me/accounts.
Finally, the way I deal with this in my system is to store the admin user and token as a parent of the page token in my database. This way when I need to reconnect a page or add a new page, the system can lookup and update any related page tokens received from /me/accounts. It also allows you to automatically attempt to refresh the token by calling /me/accounts when you receive the expired token exception.
Hope some of this helps!
Check out the blog post officially from facebook: How-To: Handle expired access tokens
The offline session token is changed whenever a user changes his password. If a previously working session suddenly stops (and you're getting that error) then the user's password was changed (probably by the user) and you will need to re-prompt them to grant you offline access and save the new session token you get.
I also faced this issue while accessing the post comments from my command utility. In my case everything was working fine, until suddenly I got the error:
The remote server returned an error: (400) Bad Request.
After diagnosing the problem, I found that the Facebook access token is expiring after a period of time even though I created it with the offline_access option as below:
https://www.facebook.com/dialog/oauth?client_id=[APPID]&redirect_uri=[URL]&scope=user_photos,email,user_birthday,user_online_presence,offline_access
After wasting of lots of time on RND, I found that there is an option in the app's Advanced Settings for Remove offline_access permission. My client had enabled it, and that's the reason my token was expiring. Have look at the image below:
In my case I had to generate a new page access token because I changed my Facebook password.
You can do that by going to https://developers.facebook.com, click on your app, see the menu on the left, choose Messenger, then Settings, then scroll to Access Tokens, click Generate token, copy the token and paste it into your configuration file.
I want the users of my website to be able to authorize Facebook access in their profiles, such that our servers can continuously use that authorization. I know how to do the authorization part, but what I get back is an access key that will eventually expire. This would require the user to log back in and re-authorize us periodically.
Is there a way that the user can grant authorization once, giving me an access key that won't expire?
Update
The offline_access is now disabled as pointed out in one of the comments. To understand the changes Facebook as a nice post. https://developers.facebook.com/roadmap/offline-access-removal/
Old Answer
If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
http://developers.facebook.com/docs/authentication/
I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?
After digging around a bit, i found this. It seems to be the answer:
Updated (11/April/2018)
The token will expire after about 60 days.
The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
All access tokens need to be renewed every 90 days with the consent of the person using your app.
Facebook change announce (10/04/2018)
Facebook updated token expiration page (10/04/2018)
offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Its a permission value requested.
http://developers.facebook.com/docs/authentication/permissions
UPDATE
offline_access permission has been removed a while ago.
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
Try this may be it will help full for you
https://graph.facebook.com/oauth/authorize?
client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
redirect_uri=http://www.example.com/
To get lifetime Access Token you have to use scope=offline_access
Meaning of scope=offline_access is that :-
Enables your application to perform authorized requests on behalf of
the user at any time. By default, most access tokens expire after a
short time period to ensure applications only make requests on behalf
of the user when the are actively using the application. This
permission makes the access token returned by our OAuth endpoint
long-lived.
But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012.
and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..
Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:
https://developers.facebook.com/docs/offline-access-deprecation/
I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.
Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.
I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.
Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.
since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.
http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/
You can always refresh the user's access token every time the user logs into your site through facebook.
The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.
Quoted from facebook http://developers.facebook.com/docs/authentication/
Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.
Hit this to exchange a short living access token for a long living/non expiring(pages) one:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.
Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
https://developers.facebook.com/docs/facebook-login/access-tokens
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.
check the following things when you interact with facebook graph api.
1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases
eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.
I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.
Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php
Worked for me...