Requested to renew an auth token about to expire. Got the new token back but app failed to save it due to bug. Now cannot request a new one because the old one is considered expired. What recourse is available?
Your only recourse here is to have the end-user disconnect their app, and then reconnect it.
Take a look at: https://developers.facebook.com/docs/facebook-login/access-tokens
Also,
Taken from: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
The token expires after expires time (2 hours is the default).
The user changes her password which invalidates the access token.
The user de-authorizes your app.
The user logs out of Facebook.
Token expires after expires time
This scenario refers to the use case where a user has authorized your app in the past, but the access token that you were issued has expired.When you try to make Graph API call on her behalf you will get an HTTP 400 with the following error in the body:
{
error: {
type: "OAuthException",
message: "Session has expired at unix time
SOME_TIME. The current unix time is SOME_TIME.”
},
}
Scenario 2: User changes her password
This scenario refers to use case where a user has authorized your app in the past and then she changes the password associated with her Facebook account. In this scenario, when you try to make Graph API call on her behalf you will get an HTTP 400 with the following error in the body:
{
error: {
type: "OAuthException",
message: "The session has been invalidated because
the user has changed the password.",
},
}
Please note that you will receive this message even if your app was granted the offline_access permission if the user changed their password.
Scenario 3: User de-authorizes your app
This scenario refers to a use case where a user has authorized your app in the past, but then she de-authorizes your app by going to the App Dashboard. In this scenario when you try to make a Graph API call on her behalf you will get a HTTP 400 with the following error in the body:
{
error: {
type: "OAuthException",
message: "Error validating access token: USER_ID
has not authorized application APP_ID",
},
}
Please note that even if the user had authorized your app with the offline_access permission access tokens will become invalid if the user de-authorizes your app.
Scenario 4: User logs out of Facebook
This scenario refers to a use case where a user has authorized your app in the past and then she logs out of Facebook. If the user authorized your app with the offline_access permission then the Graph API call works as expected. If the user did not grant this permission and you try to make a Graph API call on behalf of the user, you will get an HTTP 400 with the following error in the body:
{
"error": {
"type":"OAuthException","message":"Error validating
access token: The session is invalid because the
user logged out."
}
}
Related
I'm confusing about this error (take from facebook documentation) :
Access Token invalidated due to the person logging out or changing their password
{
"error": {
"message": "Error validating access token: The session is invalid
because the user logged out.",
"type": "OAuthException",
"code": 190
}
}
If the access token becomes invalid, the solution is to have the person log in again, at which point you will be able to make API calls on their behalf once more. The login flow your app uses for new people should determine which method you need to adopt.
This is the case: users visit my site and log in with facebook -> i obtain a user access token -> i exchange this short-life user token with a 60 days token -> every day a cron job made a call to facebook to get like counts of some user's posts by the long life token i have retrived from facebook.
It works but , maybe some day later, if a user hit the logout button on his facebook profile page, my long-life token stops to works and return the error.
My question is, if the user re-login in his facebook profile page, my long life token will restart to works? Or the user needs to visit my site again and then relogin to give me another short-life token that i can exchange with a new long-life token?
if i need to request a new long life token, there is an alternative that i can use to maintain a token valid for a month at least, without requesting the login to the user again?
I am facing this error with some of my users, the case is as following:
I use facebook "App access token" to post actions to facebook Open Graph instead of the user access token because app access token don't expire according to facebook documentation unless you refreshed the app secret, I use the follwoing Post url to post actions
https://graph.facebook.com/user_facebook_id/App_Namespace:action_name?FBOG_Object=FBOG_OBJECT_URL&access_token=app_access_token
Some of the actions do appear on facebook, but for some users the actions fails to post and return the following message:
{ "error": { "message": "Error validating access token: Session has expired at unix time 1345759200. The current unix time is 1345925578.", "type": "OAuthException", "code": 190, "error_subcode": 463 } }
What am I doing wrong? Why do I have an expiration error although am using the app access token? Should I worry for user permissions?
After checking the servers it seems that the code that uses the app token was not deployed and the code that uses the user token is still there.
The app token does not expire unless the app owner took some action.
https://developers.facebook.com/docs/authentication/applications/
Error message clearly shows that your access token expired and you need to get another one.
However you can handle this issue : Access token expiration
Also if you are looking for a long life token you need to provide some more parameters while authorizing the application to a new user.
offline_access parameter can be included in a request but now it's been deprecated by facebook. Removal of offline access
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
I am using the Graph API for an app that chooses a "fan of the week" for Facebook pages and announces them automatically to their feed.
For the purpose of announcing the fan on the feed, I store the OAuth access token for the user who installed the app. However sometimes the tokens get invalidated and then the app will fail to post to the feed.
{
"error" : {
"message" : "Error validating access token: The session has been invalidated
because the user has changed the password.",
"type" : "OAuthException"
}
}
Here is another type of error I also get sometimes:
{
"error": {
"message": "Error validating access token: Session does not match
current stored session. This may be because the user changed the
password since the time the session was created or Facebook has changed
the session for security reasons.",
"type": "OAuthException"
}
}
I already have the "offline_access" for these users, but the tokens are still becoming invalid sometimes. Is there anything else I can do to prevent this from happening, besides sending the user an email asking them to visit the app page again so that I could get a new OAuth token?
There's no way around this that doesn't require user intervention of some kind. If it's an app or page users are unlikely to visit frequently, then sending that e-mail sounds like a good idea. When users visit the page or app you can use the FB Javascript SDK, which automatically refreshes sessions, and subscribe to the FB.Event.subscribe('auth.sessionChange') with a handler that updates the token in your database.
If you are trying to publish to a users feed and you have publish_stream permission which hasn't been revoked, you can mostly likely still publish to /userId/feed using an access_token in this format: appid|appsecret. Note that /me will obviously not work because you are using the applications access token.
if I use safari to authorize user with facebook everythig work, but if use native application i have error:
{
"error": {
"type": "OAuthException",
"message": "Error validating access token: Session has expired at unix time 1315843200. The current unix time is 1315919174."
}
}
if I tried log out and next log in, I got same access token. How may I resolve this problem?
If you get OAuthException you need simply to reauthorize.
Also when your app is started you need to make a call to graph API "me" and in case you get exception you need simply to re-authorize, then you proceed with regular workflow of API calls.
You can make your access_token not to expire by requesting offline_access extended permission, but it still might be invalidated.
hope this helps