Do Facebook has a refresh token of OAuth?
I wanna know if there is a refresh token, how long will it be expired? 60days?
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
Thanks.
Facebook does not provide a refresh token.
Facebook provides two kinds of access tokens,
Short lived access token:
A token that is expired after a short period of time (about 2 hours).
Short lived access tokens are usually used on web clients.
Long-lived access tokens: An access token which has a long life (about 60 days).
Long lived access tokens are usually used on mobile apps and server side.
You can generate long lived access tokens with the Facebook SDKs for Android and iOs, These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after the preset expiry and the person will have to go through the login flow again to get a new token.
It is possible to exchange a valid short lived access token for a long lived access token.
The documentation explains well about the tokens, exchanging methods, call parameters etc..
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
No.You can't. Refresh token is a token that may be used to obtain a new access token.
Facebook SDKs can refresh an access token at regular intervals before token expiry if connected.
Related
Our app does not have a Facebook login. We have our own login that does not tie to Facebook login any way.
Our server uses a never expire token to make api calls (server to server) as majority of the calls will need to update/manipulate things in our db
However, for some instances it will be beneficial if from our server we can pass our client a "short-lived" token to the web client (UI) which then can use the token to call the Facebook graph api directly in these cases.
We found a way to create a long lived token from a long lived token and pass it along the UI but we would prefer if the token expires quickly so that it minimizes the token theft and unintentional use of our ad accounts using a long lived token from a web browser.
So is it possible to generate short lived token from a system/never expire token to pass it down to UI to make graph api calls or to expire a long lived token, in a way that it does not affect other tokens? Currently it seems when we expire a token, it expires all token within that app.
I created facebook app, now access token is for 60 days but i want to extend never expires access token .if you have any information please let me know.
There is no such thing as an access token that 'never expires'. Please read the Access Token Documentation. The best you can do is to get a token which is valid for 60 days and extend it after it has expired.
Native mobile applications using Facebook's SDKs will get long-lived
access tokens, good for about 60 days. These tokens will be refreshed
once per day when the person using your app makes a request to
Facebook's servers. If no requests are made, the token will expire
after about 60 days and the person will have to go through the login
flow again to get a new token.
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.
From the facebook Document-
By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
So according to document a page access will not expires if we are requesting the page access token using a long lived user access token.
I want to know whether the page access token will expire as the long lived access token expires?
What happens to the page access token obtained using long lived access token after the long lived access token has been expired (after 60 days)?
after searching and reading the official docs on extending tokens I don't get a clear pciture if there's a better way to refresh long-lived access tokens from a native desktop app than prompting the user to login and authorize url again. This call is not allowed for dektop apps:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
So the only choice I find now is detect if token is about to expire and when true redirect user to login page to re-authorize my app, not very comfortable, do you know of any other method?
According to your question you want to refresh long lived token.The service you want to hit is to get long lived from short lived token which you have got from authentication flow, rather than refreshing existing long lived token
You can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token.
After doing the above you will obtain a new short-lived token and then you need to perform the same exchange for a long-lived token.
Refer https://developers.facebook.com/docs/facebook-login/access-tokens to get details in depth
While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.
This page mentioned
The duration for which a given access token is valid depends on how it
was generated
But I failed to find any further information.
Anyone has insights on how this determination process works in detail?
The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token.
In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically.
When that expires you have to send the user to re-authenticate in the same flow (code exchanging).
You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.