Facebook user access token validity - facebook

After I read the graph api documentation, I understood the usually a regular user token has around 2 hours validity, and you can extend it for another 60 days.
I started to test the graph api, and I generated a token for my personal facebook acount using my own fb application.
I was surprised to find out the this token has the expiration date set to never.
Please have a look over the print screen which contains debug info about the token.
So the question is: why my token doesn't expire in a few hours as is specified in the graph api documentation ?

why my token doesn't expire in a few hours as is specified in the graph api documentation ?
That’s a “side effect” of manage_pages permission.
Extended page access tokens do have unlimited validity. And page access tokens still need to be tied to the user that created them somehow (if the user is removed as admin for the page, the page token needs to get invalidated as well) – so for implementation reasons Facebook chose the way of making the user access token have unlimited validity in this case as well.

Related

Facebook scenario 5 on the Removal of offline_access permission page

I have a general Facebook development question. I'm trying to understand how scenario 5 on Facebooks Removal of offline_access page is supposed to work and what that token can be used for.
A little bit about my app. I allow my apps users to schedule/post Facebook posts from a third party system I integrate with. We then pull the likes and comments and feed it back into that system. Right now we are set up to get the 60 day long lived token and that works great but we have to impose a time limit on scheduling. It's not the end of the world but if we can do better we want to explore that option.
Thus we were told about "Scenario 5" which I've posted and linked to below. My questions are:
What does it mean by a page that the user administers?
What are the pros/cons of this method?
Similar to #2 what can this method do or not do that the 60 day access token can't/can do?
Any tips or hurdles to watch out for when implementing this?
Scenario 5: Page Access Tokens
When a user grants an app the manage_pages permission, the app is able to obtain page access tokens for pages that the user administers by querying the [User ID]/accounts Graph API endpoint. With the migration enabled, when using a short-lived user access token to query this endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
http://developers.facebook.com/roadmap/offline-access-removal/
This is referring to the Page access tokens which are used by your app to administer a Facebook Page on behalf of an admin of that page.
These tokens can only access the page itself, or publicly accessible content, you can't use a page access token as a replacement for a user access token.

How to get permanent access token in graph API

I created an APP on Facebook and using graph API explorer, I selected my app from app drop down box, requested access token with manage_pages, offline_access and publish_stream permissions.
Using this access token, I was successfully able to post message on page using restfb APIs but when I log out, it starts throwing The session is invalid error.
I read on few posts that offline_access is deprecated. Could someone tell me how to obtain permanent access token?
Thanks
Looking at the docs at: https://developers.facebook.com/roadmap/offline-access-removal/ this is no longer possible.
Desktop applications will not be able to extend the life of an
existing access_token and the user must login to facebook once the
token has expired.
Otherwise, it is possible to request an access token with a longer expiration. Here are the directions: https://developers.facebook.com/roadmap/offline-access-removal/#extend_token
What kind of Access Token do you need? There are three kinds, User AT, App AT and Page AT.
If you want User AT, it seems you are out of luck. I don't think it's possible anymore. You can only get to 60 days. However, if you need Page AT, you can get a permanent one. The difference is, Page Access Token only has access to a single facebook page.
Basically you need to get User Access Token first, with manage_pages permission. When you have one, you have to look at /{pageId}?fields=access_token for your page's id in Graph API.
For more info look at: facebook: permanent Page Access Token?
you will not get any permanent access token as Facebook developer blog explains. you will be given 60 days long lived access token. Before the expiration Facebook will notify you about the expiry and then you can renew it or you can build your own custom control to get the notification on token expiration which you can fetch from Facebook API.

Facebook Album Access Token Expire every 2 hours

I am implementing a photo album extension inside an umbraco installation. Basically it's just a usercontrol fetching photos from facebook.
I have supplied access_token with the following permissions:
user_photos
offline_access
However, the token seems to be expired after 2 hours. My question is how can I get my token to be valid all the time? Do I need more permissions?
thank you
When retrieving a Facebook access token, an expiration time associated with the access token is also typically returned. If this expiration time is exceeded, your application will need to obtain a new access token (which will also have a new expiration time associated with it). Facebook has an article specifically regarding how to handle expired access tokens here.

Facebook Pages (/me/accounts) access_token Expiration?

Bear with me, I know access_token questions have been asked a thousand times but I can't seem to find an answer to this specific question.
Is there an expiration date for Facebook Page (not app, not user) access tokens?
I know that:
offline_access has been deprecated.
I can request a 60-day user access_token
Step 1: I use Facebook Connect and I get a user access_token which has the manage_pages permission (by default, this token expires in 2 hours, extendable to 60 days)
Step 2: I then call /me/accounts and get an array of the user's pages each one with a listed page access_token
Step 3: I can use the page access_token in subsequent API calls to do things like posting to the user's page.
I need users to be able to schedule page updates to happen in the future (when they will not be online).
So again the question is:
What is the expiration date of the page access_token returned from /me/accounts?
If the expiration date is tied to something, what is it tied to?
Expiration date of the user access_token used when requesting /me/accounts?
60-days from when the request is made to /me/accounts?
I apologize for my confusion, the Facebook documentation seems to fall extremely short in describing these access tokens.
I just created a brand new app. Ensured the deprecate offline access was enabled. Went to explorer, found my new app in the dropdown, granted myself manage_pages, went to me/accounts grabbed one of the page access tokens, and then linted it. Whew! 1 hour expiration.
EDIT
I tried exchanging that 1 hour page token and I got an error from fb.
I went back to the user access token, and exchanged it for a 60 day one. Verified in the linter that it was a 60 day. Went back to me/accounts and grabbed one of the page access tokens and linted it. Suprise! Got a 60 day token from there.
So the moral of the story is, you cannot exchange page tokens, only user tokens. But with a 60 day user token you can get a 60 day page token. :)

Do Facebook Oauth 2.0 Access Tokens Expire?

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?
After digging around a bit, i found this. It seems to be the answer:
Updated (11/April/2018)
The token will expire after about 60 days.
The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
All access tokens need to be renewed every 90 days with the consent of the person using your app.
Facebook change announce (10/04/2018)
Facebook updated token expiration page (10/04/2018)
offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Its a permission value requested.
http://developers.facebook.com/docs/authentication/permissions
UPDATE
offline_access permission has been removed a while ago.
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
Try this may be it will help full for you
https://graph.facebook.com/oauth/authorize?
client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
redirect_uri=http://www.example.com/
To get lifetime Access Token you have to use scope=offline_access
Meaning of scope=offline_access is that :-
Enables your application to perform authorized requests on behalf of
the user at any time. By default, most access tokens expire after a
short time period to ensure applications only make requests on behalf
of the user when the are actively using the application. This
permission makes the access token returned by our OAuth endpoint
long-lived.
But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012.
and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..
Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:
https://developers.facebook.com/docs/offline-access-deprecation/
I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.
Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.
I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.
Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.
since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.
http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/
You can always refresh the user's access token every time the user logs into your site through facebook.
The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.
Quoted from facebook http://developers.facebook.com/docs/authentication/
Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.
Hit this to exchange a short living access token for a long living/non expiring(pages) one:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.
Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
https://developers.facebook.com/docs/facebook-login/access-tokens
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.
check the following things when you interact with facebook graph api.
1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases
eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.
I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.
Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php
Worked for me...