I've seen countless questions similar to mine. But I have a very specific question about this.
In the Facebook access token documentation https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension it states
Native mobile apps using Facebook's SDKs will get long-lived access
tokens, good for about 60 days. These tokens will be refreshed once
per day when the person using your app makes a request to Facebook's
servers. If no requests are made, the token will expire after about 60
days and the person will have to go through the login flow again to
get a new token.
This statement generates as many questions as answers. Note I am NOT using the Facebook SDKs because mine is a server side app written in Java. So this isn't a native mobile app.
Does the phrase tokens will be refreshed once per day mean that if I use my long-lived token daily Facebook will just keep extending the expiration of my existing long-live
token? Or will it want to issue me a new long-lived token?
If the answer to the previous question is that it wants to issue me a new token how can I acquire that new token using only my existing long-lived token? I briefly looked into the Facebook Android SDK to see how it might work and it appears that there might be some sort of callback mechanism.
When I do a debug token call on my long-lived token at https://developers.facebook.com/tools/debug/accesstoken it says it never expires. Which is hopefully true, but contradicts Facebook's documentation stating they last for 60 days.
Any specific help on my questions would be greatly appreciated.
Related
I have been trying to create a never-expiring Facebook Token (ideally programatically) and have not been able to do so, then, without really trying, on a different Facebook Application, I managed to create a token which, according to
https://developers.facebook.com/tools/debug/accesstoken?version=v2.5&q={TOKEN}
will never expire and I can't replicate it on any other Facebook Apps or for any other Facebook Tokens.
I can programatically (PHP) take the short lived token (1/2 hours) and extend it to 60 days, but I wanted to ideally get a never-expire token.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
Is it something in the App itself while it was created? Is there actually a way to get a never-expiring token, even though I've followed many of the guides online yet can only get a 1/2 hour token converted to 60 days?
Is there actually a way to get a never-expiring token
No, not really. Even what you think is a never-expiring token can expire - f.e. if the user who created it changes their account password.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
It is not documented, because Facebook wants you to use the 60 day tokens, when you app is acting on behalf of a personal user profile. They removed offline_access permission ages ago, specifically so that apps the user has long forgotten about can’t act on their behalf or still access their data any more.
So if you are writing an app that acts on behalf of users, you should really rather make do with the 60 day token - that should be enough for most cases.
Now what you are seeing with your token here, is a side effect of how Facebook has implemented extended page access tokens. Those do not have a default expiry - but they need to be invalidated when the user is removed as a page admin. Therefor, they are internally tied to the user token that was used to request the page token. User token gets invalidated - page access token becomes invalid together with it. And that in turn requires that the user token does not automatically expire after 60 days.
So, when you extend a user token that includes manage_pages permission, you will get an extended token with “unlimited” validity. But, again, that is a side effect of current implementation only, and can change in the future.
According to the Facebook docs, mobile SDKs generate long lived tokens which are refreshed once per day when the person using your app makes a request to the Facebook servers. For the javascript SDK, short-lived tokens are generated and are refreshed periodically.
I'm curious as to what is meant by "the person using your app makes a request to the Facebook servers". Which calls specifically will cause the token to be refreshed? Or more importantly, which calls won't? Is it enough to check the login status or is something more active required? What I'm really interested in is keeping the token alive (or getting a new one) without sending the user back through the login flow, or doing anything that's particularly active with Facebooks APIs.
Thanks!
According to Facebook SDK Docu
Once a token expires ("auto" extend of Facebook SDK Token)
At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token
THERE IS no keep alive functionality in Facebook SDK.
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
long-lived = 60 days
Short-lived = 2 hour
Also according to Facebook SDK Docu
Mobile apps that use Facebook's mobile SDKs get long-lived tokens.
Once you force a user for a new oAuth/login, he will receive a new token. The old one will not expire. You are able to check the loginStatusby FB.getLoginStatus. No need for a keep alive.
The SDK will refresh the access token for you when an actual graph request is made (up to once a day). Any time the token is updated, the AccessTokenTracker will be notified, so you can register a tracker if you want to be notified of updates (e.g. for sending to the server).
If you only make graph requests from your server, then you'll need to handle expiration from there, and either try to extend, or prompt your user to do SSO again to get an updated token.
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser
I'm trying to better understand Facebook Access tokens. I have a canvas web app in a sandbox. I have used the GUI to say the app seeks permissions for various user fields. The user then sees these listed and clicks the blue Go To App button. (Currently only developers and testers).
My questions are around the Access tokens. I've used the Graph API explorer and the Access Token Tool. In the Access Token Tool - there are User and App tokens listed. What are these for?
A user must have a token to use an app - this token is generated when they click to use the app... can this expire? What is the purpose of an app access token? Is this to be used to view which users are subscribed to the app?
Any explanation or step through of the process of accepting and using an app on facebook would be greatly appreciated!
Thanks :)
Access token is similar to a password in a weaker notion.
Whenever a user tries to access to a resource, your app should authenticate the user. In this context, your app requets to access some or all user data, in return you are given an access token that expires in a short period of time. Something like 1 hour, then once the token expires you need to authenticate the user again. There are ways to extend expiration duration upto 2 months.
Facebook docs are pretty clear and concise about tokens, you can read through them, and depending on the language you are using, there are API's you can benefit from.
Overall pretty easy.
I have an application that used to use offline_access, which obviously needs changing since that's going away.
We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.
From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.
Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?
Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?
Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.
Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.
I believe once the deprecation of offline_access is complete, obtaining/exchanging access tokens is the only way to do what you need.
Anyone who had offline access before the deprecation will still be able to use your application normally, for 60 days at least. Once this period is over, you have to re authorize users and extend their access tokens for another 60 days. To do this you have them log in, and authorize your app (if necessary). Then you extend their access token using fb_exchange_token, so it is good for 60 days.
I'm sure you have seen it, but it's all outlined in this article, more specifically the section about previously using offline_access. I also found this post useful for doing an upgrade. Here is another link that further details how to deal with invalid tokens.