From the facebook Document-
By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
So according to document a page access will not expires if we are requesting the page access token using a long lived user access token.
I want to know whether the page access token will expire as the long lived access token expires?
What happens to the page access token obtained using long lived access token after the long lived access token has been expired (after 60 days)?
Related
i have the user login and grant my app permissions
In the redirect after the login, I exchange the code for a long lived token and with that long lived token i get an expires_in value
i then set that expires_in in my database.
I then take this long lived token and call
https://graph.facebook.com/debug_token?input_token=<lltoken>&access_token=<my app token>
it returns
"data_access_expires_at": 1614276511,
"expires_at": 0,
I am confused why i am getting different expires_at results. Is this not the correct way to determine when a long lived user access token is going to expire?
Thanks
I am using JWT for authenticating users. I can see two types of tokens (access token to make requests to the back-end and refresh token) generated by JWT. So, my question is when the right is time to logout the user? The time when the access token expires or the time when the refresh token expires?
What is the better way to get the new access token using the refresh token endpoint according to the user's active or inactive state?
the refresh token exists so that your service can keep using the credentials of the user on their behalf even after the access token expires. so if you have a refresh token, there is no need to "logout the user" when their access token expires
A Refresh Token contains the information required to obtain a new Access Token or ID Token.
Typically, a user needs a new Access Token when gaining access to a resource for the first time, or after the previous Access Token granted to them expires.
https://auth0.com/docs/tokens/refresh-token/current
If you let the access token expire and do not use the refresh token to generate a new access token, the user will have to log in again if you would like to perform some action on their behalf (access a resources using their access token). The user is "logged out" when their refresh token expires. The user does not need to be active for you to use their refresh token
Do Facebook has a refresh token of OAuth?
I wanna know if there is a refresh token, how long will it be expired? 60days?
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
Thanks.
Facebook does not provide a refresh token.
Facebook provides two kinds of access tokens,
Short lived access token:
A token that is expired after a short period of time (about 2 hours).
Short lived access tokens are usually used on web clients.
Long-lived access tokens: An access token which has a long life (about 60 days).
Long lived access tokens are usually used on mobile apps and server side.
You can generate long lived access tokens with the Facebook SDKs for Android and iOs, These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after the preset expiry and the person will have to go through the login flow again to get a new token.
It is possible to exchange a valid short lived access token for a long lived access token.
The documentation explains well about the tokens, exchanging methods, call parameters etc..
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
No.You can't. Refresh token is a token that may be used to obtain a new access token.
Facebook SDKs can refresh an access token at regular intervals before token expiry if connected.
developing a mobile app using angularjs, node.js, mongodb, passportjs, express... Im implementing the bearer strategy with the bearer tokens.
I would like to know, when a user is using the app(immediately after the user is logged the access token is created),but I would like to understand when the API must to refresh it or when the access token must to expire.
Refresh token is used when access token expires. It's up to you when you expire the access token, but usually the lifetime of an access token is one hour. When the access token expires, the refresh token can be used to obtain a new access token. For more information, please refer to the OAuth 2.0 RFC.
Refresh token:
Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).
Expiration:
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
I'm an admin for a Facebook page I want to handle a server side job scheduler which post every specific time into that Page using Facebook Graph API.
I'm using this code to do that job: $facebook->api("/$page_id/feed","post",$args); and it is working fine for me.
But I have a problem related to Page Access Token. I need to have a permanent Page Access Token to work forever not to update the access token every specific time because it will be server side job scheduler, no GUI for it.
Any suggestion about how to get Permanent Page Access token?
Note: I followed the steps in Facebook documentation
but I have 3 wanderings about it :
Shall I have Facebook app to get Long-Lived Page Authentication ??
I don't have that option on my Facebook app advanced setting
"deprecate offline_access" ??
Is the 60 days is the max valid duration which I can give it to Page
Access Token .. can't it become permanent for ever ??
Earlier people could use offline_access permission to obtain a permanent token. But it looks like Facebook is deprecating this particular permission. Instead, you first need to obtain a short-lived token, then exchange it for a long-lived token, which remains valid for 60 days. Same goes for page tokens.
When a user grants an app the manage_pages permission, the app is able
to obtain page access tokens for pages that the user administers by
querying the [User ID]/accounts Graph API endpoint. With the migration
enabled, when using a short-lived user access token to query this
endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access
token using the endpoint and steps explained earlier. By using a
long-lived user access token, querying the [User ID]/accounts endpoint
will now provide page access tokens that do not expire for pages that
a user manages. This will also apply when querying with a non-expiring
user access token obtained through the deprecated offline_access
permission.
https://developers.facebook.com/roadmap/offline-access-removal/