Facebook oauth2 API refresh tokens - facebook

I am building an application that does not have a client interface.
At the setup step: The user logs into the server throught a browser once using oauth, and the server makes sure that the client is identified.
From this point on, no browsers are invlovled. It all happens in the background.
It then keeps acting on behalf of the user for as long as the user can be validated.
That means that once in a while, my server needs to call the oauth provider to validate the user still exists.
Until now, I have only used google oauth: Once in a while, I would call the refreshtoken api, and get a new token indefinitely from the server side. (you need to ask for "offline access" when you get the user token).
Now I would like to use facebook as well, but reading their APIs, I see no mention of a possibility for a server to refresh it's tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/
It looks like it all has to be done from the client device.
As I have no client device, does this mean that I cannot write this sort of app with facebook?

I think your scenario can be covered through Facebook's mechanism. But you need to support a re-login if some error occur while using long lived access token. This can happen due to security measure taken by Facebook (ex:- data breach, cryptographic breach) or when user revoke tokens or change password or when tokens are not used for a longer time.
Steps to follow (According to their docs),
Obtain a User access token
These are short lived
Short-lived tokens usually have a lifetime of about an hour or two
Exchanging Short-Lived Tokens for Long-Lived Tokens
These have life span of around 60 days, even when they are not used.
long-lived token generally lasts about 60 days.
Basically, once you obtain a long lived token, you can use it from the server application. During this process, you required a client which used browser only to obtain short lived access token.
But as previously mentioned, these tokens can expire,
These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
So you will require to obtain new ones by going through above two steps.

Related

Storing access tokens and handling their expirations

I'm using OAuth as:
a secondary method to sign users into my web application (rather than manually providing their name, email and password)
a way to receive to receive user data throughout the website.
What would be considered best practice when storing access tokens? I have two options:
Store access tokens in cookies
Store access tokens in a database
What are the advantages and disadvantages of either choice?
Regarding token expirations, what should be done to handle this?
One way I know I could handle this is by checking whether there was an error when calling the API and so requesting a new token and then calling the API again. However when requesting a new token, will I require the user to sign back in again? I would imagine this would be a problem when a page on my website requires data from Facebook, but to retrieve it, users have to log back in.
I don't understand how other websites manage to maintain access to Facebook, Google or Twitter APIs without requiring me to log back in again, especially when I'm on another device where I haven't once logged in to Facebook, Twitter or Google. How do they do this? Thanks.
If authentication is done using Google OAuth2.0. Google provides two tokens namely, Access Token and Refresh Token.
Access tokens have limited lifetime for 3600 seconds , but refresh tokens are valid for longer period of time.
Refresh token also expire. Read "Token expiration" section of the Google OAuth2.0 link
One can obtain new access token from refresh token without re-login. ReST api
So, one can have logic implemented to check for time elapsed after access token was generated and take precautionary steps for new access token generation.
Google tokens expire in 3600 seconds, so one can get access token say after every 3500 seconds and update the older access token stored with new one for further use. Also one other way could be, to set refresh token in GoogleCredential which is passed as parameter(httpRequestInitializer) while creating the service of any api.(For example look for Drive.Builder)
If you are not storing refresh token from which access token can be regenerated, you have to authenticate again to get new token.

Facebook - when does the SDK refresh the auth token?

According to the Facebook docs, mobile SDKs generate long lived tokens which are refreshed once per day when the person using your app makes a request to the Facebook servers. For the javascript SDK, short-lived tokens are generated and are refreshed periodically.
I'm curious as to what is meant by "the person using your app makes a request to the Facebook servers". Which calls specifically will cause the token to be refreshed? Or more importantly, which calls won't? Is it enough to check the login status or is something more active required? What I'm really interested in is keeping the token alive (or getting a new one) without sending the user back through the login flow, or doing anything that's particularly active with Facebooks APIs.
Thanks!
According to Facebook SDK Docu
Once a token expires ("auto" extend of Facebook SDK Token)
At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token
THERE IS no keep alive functionality in Facebook SDK.
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
long-lived = 60 days
Short-lived = 2 hour
Also according to Facebook SDK Docu
Mobile apps that use Facebook's mobile SDKs get long-lived tokens.
Once you force a user for a new oAuth/login, he will receive a new token. The old one will not expire. You are able to check the loginStatusby FB.getLoginStatus. No need for a keep alive.
The SDK will refresh the access token for you when an actual graph request is made (up to once a day). Any time the token is updated, the AccessTokenTracker will be notified, so you can register a tracker if you want to be notified of updates (e.g. for sending to the server).
If you only make graph requests from your server, then you'll need to handle expiration from there, and either try to extend, or prompt your user to do SSO again to get an updated token.

Posting to Facebook on behalf of the user: how to handle token expiration?

I'm implementing a connect with Facebook/Twitter/... functionality on a website. The idea is that once a user connects his account with the external services our website could post messages on behalf of the user.
With Twitter there is no problem as the OAuth access_token doesn't expire. But with FB it does expire every two months, when the user logouts, changes password or explictly deauthorizes the app.
How should I handle the token expiration? For me it would be ideal if I could refresh the token automatically without bothering the user, but unless I've missed something it seems there isn't any way of doing this. So, right now I've two ideas:
The less akward way: every time the user logins to the website check if the tokens have expired and notify the user that she has too reauthorize the app.
The more akward way: every time the "post to social networks" event triggers in our website, check if the tokens have expired and ask the user to reauthorize.
The first option would be easier to implement and cleaner to the user.
So, how are you handling this situations?
Thanks!
I think that I'll trye the first option:
User logs in
The server checks if the user has already a Facebook token, if so:
Check if it's still a valid token. http://developers.facebook.com/docs/howtos/login/debugging-access-tokens/
If the token expired NOT because the user deauthorized the app BUT because the other cases we redirect the user to the OAuth endpoint.
I'll give it a try and update this answer if there is more to it.
If the user is actually interacting with your website, you should be getting a fresh access_token (read below). If you perform offline tasks related to the user using the Facebook API then you should be storing the access_token and their expiry dates. Then you need to handle expired access tokens and ask the user to interact with your app again and update your records.
You should refer to this document. Also you should be reading the Extending Access Tokens document:
Step 2. Refreshing Long-lived User Access Tokens
At any point, you can generate a new long-lived token by repeating the
original auth flow, obtaining a new short-lived token and then
performing the same exchange as above. In some cases, this newer
long-lived token can be identical to the previous one, but we do not
guarantee this will be true and your app shouldn't depend upon it.

Google Account access token

How to extend life time of google account access token i used gwt-oauth2-0.2 to obtain an access token but problem is that it expires very soon .i want to get a token with extended life time preferably that does not expires.
Since this is GWT code, it's executed in the client using client-side JavaScript. It is not possible to get a long-lived access token from within client-side JavaScript. The issued tokens last 60 minutes currently-- and you can always get another token later without any user interaction (as the user has already approved the OAuth grant request). This should be sufficient for all client-side access to a user's data.
If you're comfortable using server-side code instead, you could use the OAuth 2.0 flow for server-side web applications, and specify access_type=offline. This gives you an authorization code passed as a query parameter-- you then make a server-to-server call to exchange the authorization code for an access token. The first time you exchange a code for a given user, you'll also get a refresh token. Although the access token will expire, the refresh token can be used indefinitely to obtain new access tokens for that user by simply making a server-to-server call.

Facebook long-lived and short-lived access tokens, and their expirancy after offline_access removal

While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.
This page mentioned
The duration for which a given access token is valid depends on how it
was generated
But I failed to find any further information.
Anyone has insights on how this determination process works in detail?
The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token.
In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically.
When that expires you have to send the user to re-authenticate in the same flow (code exchanging).
You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.