I have a small misunderstanding with how FB access token is being refreshed.
I'm using FB JS SDK and every time I visit my page (as well as when I relogin) I get a new short-lived access token.
Then I send it to the server side and exchange it to a long-lived access token.
But despite I get a new long-lived access token, it still expires at the same time as the previous long-lived token. Facebook Access Token Debugger says that token, I've just got, was issued 18 hours ago.
Is this a normal behavior? Or maybe I'm doing something wrong?
Greatly appreciate your help.
It looks like FB refreshes an expiration time of a new long-lived access token if user visits a page in one day after the initial long-lived access token is issued. In this case you can get a short-lived access token and exchange it for a long-lived token, which would have a new expiration time (i.e. 60 days).
Have a look at my answer to a similar question:
Extending 60 days Facebook token
Basically, you can't refresh a long-lived token before it expires.
Related
Do Facebook has a refresh token of OAuth?
I wanna know if there is a refresh token, how long will it be expired? 60days?
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
Thanks.
Facebook does not provide a refresh token.
Facebook provides two kinds of access tokens,
Short lived access token:
A token that is expired after a short period of time (about 2 hours).
Short lived access tokens are usually used on web clients.
Long-lived access tokens: An access token which has a long life (about 60 days).
Long lived access tokens are usually used on mobile apps and server side.
You can generate long lived access tokens with the Facebook SDKs for Android and iOs, These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after the preset expiry and the person will have to go through the login flow again to get a new token.
It is possible to exchange a valid short lived access token for a long lived access token.
The documentation explains well about the tokens, exchanging methods, call parameters etc..
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
No.You can't. Refresh token is a token that may be used to obtain a new access token.
Facebook SDKs can refresh an access token at regular intervals before token expiry if connected.
I created facebook app, now access token is for 60 days but i want to extend never expires access token .if you have any information please let me know.
There is no such thing as an access token that 'never expires'. Please read the Access Token Documentation. The best you can do is to get a token which is valid for 60 days and extend it after it has expired.
Native mobile applications using Facebook's SDKs will get long-lived
access tokens, good for about 60 days. These tokens will be refreshed
once per day when the person using your app makes a request to
Facebook's servers. If no requests are made, the token will expire
after about 60 days and the person will have to go through the login
flow again to get a new token.
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.
I want to pull my most recent images from facebook's api for my personal website. I cannot seem to find a way to only authenticate my user without the login dialog. Does anyone know if this is possible? I can generate my user access token inside the graph API Explorer, but it expires in 1 hour.
How to get my own Facebook user access token indefinitely
You cannot!
But you can extend this token that will be valid for 60 days - called the long-lived token. So, if a user visits your application at least once in 60 days you can have the access to user's data indefinitely.
Simple call to get the long-lived user access token-
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Refreshing this token- The user have to go through the login process again (calling login API) to get the short-lived token and then perform the same exchange for a fresh long lived token with 60 days expiry.
You can also debug your token anytime with-
GET /debug_token?
input_token={input-token}&
access_token={access-token} // a valid user access token or app access token
Is it possible to generate an access token to read the feed of a facebook account, where the access token never expires.
From what I understand 60 days is the maximum if the initial login access token is exchanged.
Is it possible to go longer than 60 days?
Now that offline_access is no longer provided, the answer is NO.
There used be a permission called offline_access that let access token works longer for period of time, but it is removed now. Short-term access token and long-term access token are introduced, instead.
When you redirect your potential user to Login Dialog and the user complete his login and app authorization process, user is redirected back to your web page. That's where you get code parameter and you will exchange it for short-term access token, which stays valid for about 2 hours. That should be enough for login purpose.
If you wish to store the token for later use you should acquire long-term access token. I believe this is the one you mentioned. This token lives up to about 60 days as you already figured out and it is the longest.
Currently I am working with long-lived access token (60 day expiration long-lived).
I see a post in facebook I can extend long-lived access token by first getting back short-lived access token and then renewing it to new long-lived token.
I hope this can be done without user getting involved. (user doesn't have to log in and give the permissions again for this process)
Has anybody done this in c#?
It would be greatly appreciated if you can share code or link.
Here is the instruction from facebook website:
"If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first and then call the same endpoint below. The returned access_token will have a fresh long-lived expiration time, however, the access_token itself may or may not be the same as the previously granted long-lived access_token."
And here is some example posted right below the instruction which I am not familiar with how to use:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Website source: http://developers.facebook.com/roadmap/offline-access-removal/
[…] y first getting back short-lived access token and then renewing it to new long-lived token. I hope this can be done without user getting involved.
No, of course it can not, at least not without any user interaction.
You have to at least have the user visit one of you pages, where you can check his login status client-side and get a short-lived access token in return if he is still connected to your app.