So I'm trying to obtain a list of posts from a Facebook page that I have created. After reading the documentation, I need to provide a user access token / page token to each API request in order to get the data. The documentation states that the user access tokens & page access tokens come in two variants:
Short life, expires within a few hours / days.
Long life, expires within 90 days.
The application I am building is a aggregated news (Facebook, twitter and Instagram) feed that will be displayed to users on my website.
From what I have read, the app tokens don't have an expiration but cannot access the pages API.
Do Facebook really expect application owners to remember to manually update their keys every 90 days in order to keep the applications working, or am I missing something that I can do to automate this?
If it is only about your Page, you are not missing anything, and there is no way to automate generating tokens - that would make expiration dates pointless. You can only send yourself a reminder before it expires. But: It can also expire if your change your Facebook Password, for example. It would be a good idea to implement a proper error handling so you get a message when the Token does not work anymore.
If it is about other Pages too, you can apply for Page Public Content Access and use an App Token that is valid forever.
Related
I have been trying to create a never-expiring Facebook Token (ideally programatically) and have not been able to do so, then, without really trying, on a different Facebook Application, I managed to create a token which, according to
https://developers.facebook.com/tools/debug/accesstoken?version=v2.5&q={TOKEN}
will never expire and I can't replicate it on any other Facebook Apps or for any other Facebook Tokens.
I can programatically (PHP) take the short lived token (1/2 hours) and extend it to 60 days, but I wanted to ideally get a never-expire token.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
Is it something in the App itself while it was created? Is there actually a way to get a never-expiring token, even though I've followed many of the guides online yet can only get a 1/2 hour token converted to 60 days?
Is there actually a way to get a never-expiring token
No, not really. Even what you think is a never-expiring token can expire - f.e. if the user who created it changes their account password.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
It is not documented, because Facebook wants you to use the 60 day tokens, when you app is acting on behalf of a personal user profile. They removed offline_access permission ages ago, specifically so that apps the user has long forgotten about can’t act on their behalf or still access their data any more.
So if you are writing an app that acts on behalf of users, you should really rather make do with the 60 day token - that should be enough for most cases.
Now what you are seeing with your token here, is a side effect of how Facebook has implemented extended page access tokens. Those do not have a default expiry - but they need to be invalidated when the user is removed as a page admin. Therefor, they are internally tied to the user token that was used to request the page token. User token gets invalidated - page access token becomes invalid together with it. And that in turn requires that the user token does not automatically expire after 60 days.
So, when you extend a user token that includes manage_pages permission, you will get an extended token with “unlimited” validity. But, again, that is a side effect of current implementation only, and can change in the future.
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser
In my web app, I need to post on users facebook feed while they are offline. I already store long lived access tokens for the users. But these tokens also expire after 60 days.
The FB docs mention that it is necessary to redirect users to the login flow to get a renewed access token.
I was thinking of checking the facebook session validity of user, whenever they login to my app and to give them the option of re-authenticating facebook in case their access token has expired.
However this will involve user interaction if the user is not currently logged in to his facebook account.
Are there any alternative solutions to look at. Also, how do sites like Quora manage posting to user's wall, without needing to re-authenticate facebook after every 60 days.
PS - I am using the latest facebook php sdk.
Simple Answer: It is not possible to extend the Access Token on the server. It would make the whole concept void.
Earlier there was a permission called "offline access", but they changed it to an extended token with maximum 60 days to avoid those things. You should NEVER post anything on the wall of the user without his authorization, for every single post. You are not allowed to autofill/prefill the message parameter anyway (see Facebook terms), it always must be 100% user generated.
About Quora: i don´t know what exactly they are doing, but i assume they refresh the Access Token whenever the user goes to their website.
I'm making a facebook application that will scan a users' news feed on a daily basis - but the offline access token has been deprecated.
I know that the access token can be extended to 60 days. So if a user doesn't use my application for 60 days, would I be not able to access their information after that?
I read the developers section but didn't understand it properly.
That's exactly the point. You'll need to code your app to run through an authentication flow if the access token expires. Remember, the access token can expire for other (legitimate) reasons, other than timeout. If you're not asking for new permissions, and need to grab a new access tokens, the flow should happen without any user actions required.
You'll need to code for access tokens failing regardless of offline_access - so do it right! :)
I need to get the latest event from a fanpage/user and show it on a blog. Everything work well with the Graph API but the problem is, that I need a access_token (currently I use a access_token, generated from account).
But the problem is that the token expires (also the offline token).. what is the best way to do that?
For a fanpage event, you should be able to use the page access token of the given page to retrieve the data. This will be possible following scenario 5 in https://developers.facebook.com/roadmap/offline-access-removal/. As to a user's event, you can extend the token for two months at most also described here https://developers.facebook.com/roadmap/offline-access-removal/.
To get it working on your blog would not be easy as you would need a way to reauth the user every two months when the tokens expire.
Facebook has moved away from the concept of offline tokens because they present a huge security risk for users as they may forget about the application. If a user has not used your application in two months, it is reasonable for Facebook to remove user authorization of your app.