I want to use Facebook SDK to login user for my app and on FaceBook API page it says
Mobile apps that use Facebook's iOS and Android SDKs get long-lived tokens by default... long-lived tokens usually have a lifetime of about 60 days
Let say a user logins to my app with Facebook, I then create a unique ID for that user and stores it in Userdefaults. If the user clicks logout, I will remove that unique id from UserDefaults and logout the user from facebook SDK.
My question here is what if the user exit my app without logout and then comeback after 61 days. Will facebook auto generate new token for that user? and of course the user status is still login in my app because the unique ID hasn't been removed. Thank you very much!
According to Facebook SDK Documentation
When you use iOS, Android, or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire during this 90-day period. Native mobile apps using Facebook's SDKs get long-lived access tokens, good for about 60 days. These tokens will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
So yes, in your case the user needs to go through login flow again.
You can use login status api to validate token every time the user enters the app.
AccessToken accessToken = AccessToken.getCurrentAccessToken();
boolean isLoggedIn = accessToken == null;
boolean isExpired = accessToken.isExpired();
Related
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser
i am trying to use facebook api.i get the short term access token.now i can get longterm fb access_token.its validity will be around 60 days.In google apis there is a refresh token.using that we can get valid access token again and again.there is no such way in facebook so that we can get a new long term token without user to login again.i am creating a server app which will retrieve a user's post on daily basis and i dont want them to restrict to again login after 60 days .is there method possible.please guideline.
As explained in the docs, you have to send the user through the login flow to get a new access token. However, as long as you haven't added any new permissions and the user is already logged into Facebook, they won't have to login or grant access to your app again -- they will be immediately redirected back to your app.
Is it possible to get the access Token of a user with his FacebookId, Application Id and Application secret ?
PS : The user has already accepted to use the app.
Thanks
You can get the access_token of the user at the time he adds the app, or when he login again using the app. Not at a later moment than that.
You can use an app access_token which doesnt expire and is valid from the point the user adds your app. But keep in mind, it has limited retrieval capabilities comparing a user access_token.
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.
Using Facebook's iOS SDK, how does a developer figure out if a user has signed out of his/her account in either Safari/Facebook app? If a developer is saving the access token and expiration date in the app between app launches, is there any flag within the SDK to let the developer know that the phone user has actually signed out/changed accounts? I want a user of my app to have to sign in with the new account if they have changed accounts from a third party app.
The Facebook SDK has a 'isSessionValid' method that you can call, but that method's implementation only checks to see if there is an accesstoken and if the expiration date is past a certain point. It does not check to see if the user has signed off or changed accounts from a different app.
Any ideas?
The current design is that once a user has logged into an ios client app and the app has an auth token, the user is in until the auth token expires or the user uninstalls the FB app (or deletes the app from their device). Suppose you have a server involved where your ios client hands the auth token to the server (they're the same FB app). That server would never know that another FB app on that device had logged out. Your user will probably have to use the logout method in Facebook.m.