According to Facebook's documentation, the access token is good for 60 days after the user's most recent use of the app.
When your app uses Facebook Login to authenticate someone, it receives
a User access token. If your app uses one of the Facebook SDKs, this
token lasts for about 60 days. However, the SDKs automatically refresh
the token whenever the person uses your app, so the tokens expire 60
days after last use. If your app doesn't use the Facebook SDKs, you
need to include code that refreshes the User token manually. If the
User access token expires, your app must put the user through the
login flow again.
By using the debug_token endpoint, you can view the expiration date of the token's access to their API.
$response = file_get_contents_curl('https://graph.facebook.com/debug_token?input_token='. $this->access_token .'&access_token=' . $this->access_token);
This will return something like this:
string(1386) "{
"data": {
"app_id": "867-5309",
"type": "USER",
"application": "Jenny's Phone Number",
"data_access_expires_at": 1603124081,
"expires_at": 1600452140,
"is_valid": true,
"issued_at": 1595268140,
........etc.
However, when I run API calls, it does not change that number or extend it. So are there specific API calls that constitute the user making use of the app? Or rather, what meets that definition?
The goal here would then be to use an API call that meets this definition to make a non-important, silent, background call once a week or once a month simply to keep the access token alive. Is something like this possible?
Related
Our app already implements oAuth to obtain the access token and secret from Intuit, and all works well.
The app takes into account that users may have multiple QBO companies. Consequently, when a user tries to authorize access to one company, our app checks whether this company has been already authorized, and if it has, the app lets the user know so and does not try to re-authorize the company.
The way we implemented this is as follows. When the authorization process starts, we send or app the list of companies (realm ID) which have been authorized. The user clicks the "Connect to QuickBooks" button and follows the wizard. Internally the app gets the request token and it is ready to make the access token request. The request token request gets us the realm ID so we can compare it with the list of already authorized companies. If the company has been authorized we do not request the access token and let the user know that the company has already been authorized.
Up until a week ago this used to work -i.e. in this case, because the app does not make a request for the access token, the access token the app has is still valid. However, now something seems to have changed so that when the app makes gets the request token, even though it does not ask for the access token, the existing access token is not valid anymore and the user need to re-authorize the company again.
Has something changed in the oAuth flow implementation ?
Thanks
OAuth tokens are valid for 180 days(bydefault). So, please check if existing tokens are getting more than 180 days old. If so, please use 'reconnect api'.
Ref - https://developer.intuit.com/v2/docs/0050_quickbooks_api/0020_authentication_and_authorization/oauth_management_api#Reconnect
One suggestion -
You can implement SSO( using 'sign in with intuit' wizard) in you app. That way you can relate end-user's SSO URL with OAuth tokens of his company while persisting those in your app's db. For the very first time, end user will generate tokens through C2QB flow. Next time onwards whenever the end user will sign in, your app should retrieve his oauth tokens using his SSO identifier(your app should show 'Disconnect' option instead of C2QB if he already has an established connection).
Thanks
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser
I've developed a Facebookapp that has the "user_photos" permission. Now i've submitted the App, which is now live. I've installed it on several Facebook-Accounts of my friends... (Yes! they have granted the requested permissions)
When i now try to make an request i get the following error message
{
"error": {
"message": "A user access token is required to request this resource.",
"type": "OAuthException",
"code": 102
}
}
Here's my Request-Query:
https://graph.facebook.com/LogInIDOfMyFriendThatHasInstalledTheAPP/?fields=albums.fields(photos,name,description),email&access_token=mySecretAppToken
Ok it works if I replace the App-Token with a User-Token that is generated by an OAuth-Process or via GraphAPIExplorer but in the Documentation (https://developers.facebook.com/docs/facebook-login/access-tokens/) it is said (in Paragraph) "App Tokens" that
"App access tokens are used to make requests to Facebook APIs on behalf of an app rather than a user. [...]" and that i have to generate an other "App Accesstoken" but this also does't work.
I'm confused...
So is there something i've forgotten / missunderstood or do I have to use the oAuth-Way which means that my friends have to reauthenticate to my App every two month???
Thanks a lot!
Best regards
Mike
A few lines after in the documentation it states
App access tokens can also be used to publish content to Facebook on behalf of a person who has granted a publishing permission to your application.
This is what they mean by requests on behalf of the user.
For the albums endpoint you need a user access token.
Yes your friends need to re-authenticate your app every two months if you extend a short lived user access token. The point is not to have apps sitting around with access when the user may have forgotten them. Prompting the user to re-authenticate ensures they are still aware of these apps and can have the choice to keep or delete them
I am trying to automatically display wall posts from a Facebook page another website. I can use the Graph API explorer to get one manually. When I use the generated token in my code all is well. The problem is the tokens expire quickly. It just isn't practical to get a new code several times a day. I know there is a way to request an access token programatically - in my case via PHP, but all the examples call for an app secret. Since this is a page and not an app, there is no secret.
I have tried this:
https://graph.facebook.com/oauth/authorize?type=user_agent&client_id=MY_CLIENT_ID&redirect_uri=http%3A%2F%2FMY_SITE_URL&scope=user_status
What I get back is this:
{
"error": {
"message": "Error validating application. Cannot get application info due to a system error.",
"type": "OAuthException",
"code": 101
}
}
I have tried using Fiddler to intercept the call from the Graph API explorer to see what I need in my code file, but haven't had any luck.
Use the app-id to build this link to authorize the managing of pages
https://www.facebook.com/dialog/oauth?client_id=MY_CLIENT_ID&redirect_uri=MY_SITE_URL&scope=manage_pages&response_type=token
Exchange token for perm (longer token)
https://graph.facebook.com/oauth/access_token?client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&grant_type=fb_exchange_token&fb_exchange_token=(from link1)
Visit this page, find the PAGE you want to post and copy the new access_token
https://graph.facebook.com/me/accounts?access_token= (from link2)
Use this last token (form link3) to post to page as app
Take note as it will expire in 60 days. (FB no longer offering unlimited offline access token)
Edit (2013 Oct 24): 5th point no longer true, Page Access Tokens generated from long-lived User Tokens do not expire.
Edit (Feb 2016): Tokens now "usually" expire in 60 days but can be invalidated at any time.
For graph objects that are not private (public) you can use your app_id as an access_token.
Your app_id never changes so you don't ever have to renew it. The question is is the wall content yours?
If so you can easily use your app_id to accomplish this without having to request an access token everytime.
However, in order to have an app_id you need to create an application on facebook with a facebook developer account. As far as I understand there isnt a way to anonymously make request to the Graph API,
I'm working to enable my app to hit the FB Graph API to look up data on a user. I want to do this in a way that is app focused meaning it isn't based on a user signed into my app. It's a relationship between the app & the FB Graph API.
My understanding is I can do that with the APPLICATION ACCESS TOKEN is that right?
If I use my app access token here:
https://graph.facebook.com/search?q=born#gmail.com&type=user&access_token=208131059208382|xFN8da1tIDxuuMp8hoRtGs3l0aM
I get an error:
{
"error": {
"type": "OAuthException",
"message": "An access token is required to request this resource."
}
}
Why is that?
Can I use my personal FB account to hit the API for the purposes of the app?
When a user oAuth's in to an app, how long does the access token last? Is it something I can hard code in my app so I can hit the FB graph api?
Thanks
For a lot of things on Facebook, you have to have a valid session access token from the user. What this means is, the access token you get from a user must be used to access a resource. This is especially true when pulling data about the user out of the graph. The access token that FB gives you when the user loads your application typically lasts for an hour (if I recall correctly). The session object FB gives you tells you the expire time on the token, though.
If you need to access the data for a user in an offline manner, you could ask the user for the offline_access extended permission. Doing this makes Facebook give you an indefinite access token, which doesn't ever expire (unless the user changes their password). That allows you to query the graph on the user's behalf whenever you feel like doing it.
The search feature doesn't require an access token if you're performing a standard search, or a page search, etc. But it does require a valid access token when you're searching for users. I assume this is to keep people from hammering the search and crawling public user data with a bot.
You can follow the instruction in
http://developers.facebook.com/docs/authentication/
take a look at https://github.com/michaelbaldry/fb_graph_canvas - It's a barebones canvas application that you can test locally. It uses fb_graph and is about as simple as can.