Facebook: Refreshing long-lived access token automatically - facebook

I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.

Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.

The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser

Related

Facebook Limited login and retaining the access token between sessions

Should the limited login store the access token for future session?
I'm transferring my iOS app from classic login to limited login. But I can't get the auto-re-login to work.
Re-login with classic works correctly as docs says. "The FBSDKLoginManager sets this token for you and when it sets currentAccessToken it also automatically writes it to a keychain cache." The app r-logins correctly.
But with limited login it seems it doesn't store the token. Should is store? The docs are unclear whether limited login should do this or not.
Best, Hu
Let's start with some points to proceed:
Limited Login mode doesn't provide you an Access Token. It provides you an Authentication Token. It's a regular JWT you can parse, but you are not able to use it for FB Graph API requests;
You can get the basic information about the user just by decoding this Authentication Token or using FB SDK right after signing in;
Currently, this token has an expiration of 1 hour, but you don't really need to refresh it every hour unless you need to get an update of the user information (for instance, to fetch a changed name, email, or a list of friends);
As you can see in the official blog post of Facebook, to refresh a token with information inside it, you need to re-authenticate a user, so call an SDK method to show FB popup. Reference: FB: Announcing expanded functionality in Limited Login
Currently, the official documentation is really unclear and has just a couple of pages related to the Limited Login mode. So if you still have any other questions, feel free to ask, I'll update the post.

Facebook - when does the SDK refresh the auth token?

According to the Facebook docs, mobile SDKs generate long lived tokens which are refreshed once per day when the person using your app makes a request to the Facebook servers. For the javascript SDK, short-lived tokens are generated and are refreshed periodically.
I'm curious as to what is meant by "the person using your app makes a request to the Facebook servers". Which calls specifically will cause the token to be refreshed? Or more importantly, which calls won't? Is it enough to check the login status or is something more active required? What I'm really interested in is keeping the token alive (or getting a new one) without sending the user back through the login flow, or doing anything that's particularly active with Facebooks APIs.
Thanks!
According to Facebook SDK Docu
Once a token expires ("auto" extend of Facebook SDK Token)
At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token
THERE IS no keep alive functionality in Facebook SDK.
User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.
long-lived = 60 days
Short-lived = 2 hour
Also according to Facebook SDK Docu
Mobile apps that use Facebook's mobile SDKs get long-lived tokens.
Once you force a user for a new oAuth/login, he will receive a new token. The old one will not expire. You are able to check the loginStatusby FB.getLoginStatus. No need for a keep alive.
The SDK will refresh the access token for you when an actual graph request is made (up to once a day). Any time the token is updated, the AccessTokenTracker will be notified, so you can register a tracker if you want to be notified of updates (e.g. for sending to the server).
If you only make graph requests from your server, then you'll need to handle expiration from there, and either try to extend, or prompt your user to do SSO again to get an updated token.

Handling an expired long lived access token, server side - facebook

In my web app, I need to post on users facebook feed while they are offline. I already store long lived access tokens for the users. But these tokens also expire after 60 days.
The FB docs mention that it is necessary to redirect users to the login flow to get a renewed access token.
I was thinking of checking the facebook session validity of user, whenever they login to my app and to give them the option of re-authenticating facebook in case their access token has expired.
However this will involve user interaction if the user is not currently logged in to his facebook account.
Are there any alternative solutions to look at. Also, how do sites like Quora manage posting to user's wall, without needing to re-authenticate facebook after every 60 days.
PS - I am using the latest facebook php sdk.
Simple Answer: It is not possible to extend the Access Token on the server. It would make the whole concept void.
Earlier there was a permission called "offline access", but they changed it to an extended token with maximum 60 days to avoid those things. You should NEVER post anything on the wall of the user without his authorization, for every single post. You are not allowed to autofill/prefill the message parameter anyway (see Facebook terms), it always must be 100% user generated.
About Quora: i donĀ“t know what exactly they are doing, but i assume they refresh the Access Token whenever the user goes to their website.

Facebook auth always gives me long-lived access token. I don't want it

I use the Facebook PHP SDK to log in users on my website.
I was experimenting with the "long-lived" access token that expires after 2 months instead of 2 hours. Now I can't get rid of it. It is a problem for me, since it gives me access to the graph API even when the user is logged out of Facebook. I use that to determine if a user is logged in on my site, so it becomes impossible to log out.
I have tried changing the app ID and app secret, as well as deleting my facebook and app cookies, using other accounts, but nothing helps.
How can I get the 2 hour access token back, so I can't use the graph API when the user is not logged in?
The server-side authentication flow will always give you a long-lived access token.
If you want a short-lived one, then you have to use the client-side flow (FB.login from the JavaScript SDK).

Extending Facebook server-side access tokens gracefully

I have an application that used to use offline_access, which obviously needs changing since that's going away.
We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.
From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.
Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?
Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?
Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.
Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.
I believe once the deprecation of offline_access is complete, obtaining/exchanging access tokens is the only way to do what you need.
Anyone who had offline access before the deprecation will still be able to use your application normally, for 60 days at least. Once this period is over, you have to re authorize users and extend their access tokens for another 60 days. To do this you have them log in, and authorize your app (if necessary). Then you extend their access token using fb_exchange_token, so it is good for 60 days.
I'm sure you have seen it, but it's all outlined in this article, more specifically the section about previously using offline_access. I also found this post useful for doing an upgrade. Here is another link that further details how to deal with invalid tokens.