To post to Facebook on behalf of a person, an app has to gain a long-lasting token in a process that involves the person authenticating themselves and giving permission to post.
Facebook's token expiration documentation says:
These tokens will be refreshed once per day when the person using your
app makes a request to Facebook's servers. If no requests are made,
the token will expire after about 60 days and the person will have to
go through the login flow again to get a new token.
This could mean:
The person who authorised the token visits Facebook's servers. So the token exists as long as the person is a regular Facebook user.
The app (using the token) visits Facebook's servers. So the token exists as long as it is regularly used.
Which is it? And if it is option 2, can the app make a idempotent request to Facebook's servers to keep the token alive past 60 days?
Related
According to the Facebook docs, mobile SDKs generate long lived tokens which are refreshed once per day when the person using your app makes a request to the Facebook servers. For the javascript SDK, short-lived tokens are generated and are refreshed periodically.
I'm curious as to what is meant by "the person using your app makes a request to the Facebook servers". Which calls specifically will cause the token to be refreshed? Or more importantly, which calls won't? Is it enough to check the login status or is something more active required? What I'm really interested in is keeping the token alive (or getting a new one) without sending the user back through the login flow, or doing anything that's particularly active with Facebooks APIs.
Thanks!
According to Facebook SDK Docu
Once a token expires ("auto" extend of Facebook SDK Token)
At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token
THERE IS no keep alive functionality in Facebook SDK.
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
long-lived = 60 days
Short-lived = 2 hour
Also according to Facebook SDK Docu
Mobile apps that use Facebook's mobile SDKs get long-lived tokens.
Once you force a user for a new oAuth/login, he will receive a new token. The old one will not expire. You are able to check the loginStatusby FB.getLoginStatus. No need for a keep alive.
The SDK will refresh the access token for you when an actual graph request is made (up to once a day). Any time the token is updated, the AccessTokenTracker will be notified, so you can register a tracker if you want to be notified of updates (e.g. for sending to the server).
If you only make graph requests from your server, then you'll need to handle expiration from there, and either try to extend, or prompt your user to do SSO again to get an updated token.
I have a requirement that on a certain time a corn will run and a big numbers of facebook pages and facebook user profiles , and it would be automatic , no users will be active may be that time ! is that possible ?
If a user authorized your app once, you can get the long-lived token (expiry: 60 days), and then use this to do actions on the user's behalf at any later time (till the token is expired- you'll have to refresh the token in that case)
Here's how you can exchange the normal access token with the long-lived token: Expiration and Extending Tokens
And to refresh the long-lived token, you have to repeat the same procedure again, by logging-in the user to your app again.
I am looking for a way to publish stuff on my facebook wall from a java-webservice.
I was looking around and found that there WAS offline_access that is now deprecated.
So...
How can it be done?
You have two options I can think of:
Get a long lived user access token (using server-side authentication, or client-side and then extending the token) when the user interacts with you app, then you have a valid token for 60 days.
When the 60 days are over you'll need the user to re-engage your app to get a new token.
You can ask for the publish_stream permission and then using an app token you can post on the users' behalf:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
App Access Tokens generally do not expire. Once generated, they are
valid indefinitely.
Bear with me, I know access_token questions have been asked a thousand times but I can't seem to find an answer to this specific question.
Is there an expiration date for Facebook Page (not app, not user) access tokens?
I know that:
offline_access has been deprecated.
I can request a 60-day user access_token
Step 1: I use Facebook Connect and I get a user access_token which has the manage_pages permission (by default, this token expires in 2 hours, extendable to 60 days)
Step 2: I then call /me/accounts and get an array of the user's pages each one with a listed page access_token
Step 3: I can use the page access_token in subsequent API calls to do things like posting to the user's page.
I need users to be able to schedule page updates to happen in the future (when they will not be online).
So again the question is:
What is the expiration date of the page access_token returned from /me/accounts?
If the expiration date is tied to something, what is it tied to?
Expiration date of the user access_token used when requesting /me/accounts?
60-days from when the request is made to /me/accounts?
I apologize for my confusion, the Facebook documentation seems to fall extremely short in describing these access tokens.
I just created a brand new app. Ensured the deprecate offline access was enabled. Went to explorer, found my new app in the dropdown, granted myself manage_pages, went to me/accounts grabbed one of the page access tokens, and then linted it. Whew! 1 hour expiration.
EDIT
I tried exchanging that 1 hour page token and I got an error from fb.
I went back to the user access token, and exchanged it for a 60 day one. Verified in the linter that it was a 60 day. Went back to me/accounts and grabbed one of the page access tokens and linted it. Suprise! Got a 60 day token from there.
So the moral of the story is, you cannot exchange page tokens, only user tokens. But with a 60 day user token you can get a 60 day page token. :)
I have a poll app running on facebook (each user gets a vote each day). Until now I didn't store on my database the user access token. This is now updated and I'm keeping the access token by this time. Each time a user votes I save his access token.
My problem is how to get the user's access token from previous votes, is this possible considering that they have authorized my app? Is there a method for this? I have the users id.
(the only reason for needing this is to get the "is_verified" property from FB graph API)
Thanks for your help,
Hugo
You cannot get user access_token without authenticate him.
You can however send your users app to user request engaging user to visit your application so you'll be able to store user's access_token.
Beware that access_token may expire and offline_access permission is deprecated (and will be removed soon), you can extend tokens up to 60 days (extending will only works for users who re-authenticated, not already authenticated)...