From my understanding, if a bad guy steals an oauth2 access token, then they can use that token to access users' data.
Is that still true for Facebook long-lived access token? Or, facebook token is special, and is not useful without the app secret?
Thanks!
Related
I have generated a permanent Facebook page access token through developer.facebook.com for Messenger API.
Although it is theorectically permanent, it can be invalidated if Facebook think there is security problem.
Is there anyway to renew the access token automatically?
If the Page Token is invalid, the User Token used for the Page token is invalid too. And there is no way to get or renew a User Token without user interaction. So the answer is no.
I'm building an app that requires a Facebook Authentication Token.
Google'ing it I end up on https://developers.facebook.com/docs/facebook-login/access-tokens
This names the following tokens:
User Access Token
App Access Token
Page Access Token
Client Token
Are any of these a Facebook Authentication Token?
If not, how do you get one?
I ended up using this tool here:
https://smashballoon.com/custom-facebook-feed/access-token/
How get long-lived access token with permission user_posts???
I am using
https://graph.facebook.com/oauth/access_token?
grant_type=fb_exchange_token&client_id=xxx&
client_secret=xxx&fb_exchange_token={short-lived-token}
I need to user_posts permissionto gain access to Fb sharedposts, what you need to add to this URL
You first need to get the short-lived Acces Token via the normal login flow. Once you got it, you can exchange the short-lived one into a long-lived one.
See
https://developers.facebook.com/docs/facebook-login/v2.3
https://developers.facebook.com/docs/facebook-login/access-tokens#termtokens
https://developers.facebook.com/docs/facebook-login/access-tokens#extending
Hi I am trying to generate a Facebook access token that has offline access and doesn't expire.
We are currently generating the token using
https://graph.facebook.com/oauth/authorize?type=user_agent&client_id=OurAppId&redirect_uri=http://OurSite.com&scope=read_stream,offline_access
which generates the following
http://OurSite.com/#access_token=BWLjKqmm5I4dBAJUoJsbrZBMjqUTYd5oUVKdMDf0nyZBkBMnl62F5lFPqliU4cfAaI9vHjwhfgpsidjw5zrBfg4M5RftQcYHkD2rf3rCmsfd4vyxW1SPkg1bfUS3NuY2MwwhUGD159LztlpgkjSunVwf8LZA70NoefhRt1fhYPZCpSJ35gjgs6SxHwZDZD&expires_in=5500
But this expires pretty quickly. The fields in the Graph Explorer are not very obvious either.
How can we generate a token with offline access that doesn't expire
Cheers
Facebook has deprecated and removed the offline_access permission. This permission previously allowed you to get a long-lived token. It is no longer possible to do so.
Is it possible to renew the long-term oauth token for facebook before it expires, and if so, how is that accomplished? So far it seems facebook will only give back the old token with the same expiration date.
Edit: using server-side authentication, and not finding in the docs specific info on how to request a new short lived token and exchange it for a long-term token using server-side workflow.
https://developers.facebook.com/docs/authentication/server-side/
how is that accomplished?
By getting a new short-lived user access token first, and then sending it to the endpoint for extension.