after searching and reading the official docs on extending tokens I don't get a clear pciture if there's a better way to refresh long-lived access tokens from a native desktop app than prompting the user to login and authorize url again. This call is not allowed for dektop apps:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
So the only choice I find now is detect if token is about to expire and when true redirect user to login page to re-authorize my app, not very comfortable, do you know of any other method?
According to your question you want to refresh long lived token.The service you want to hit is to get long lived from short lived token which you have got from authentication flow, rather than refreshing existing long lived token
You can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token.
After doing the above you will obtain a new short-lived token and then you need to perform the same exchange for a long-lived token.
Refer https://developers.facebook.com/docs/facebook-login/access-tokens to get details in depth
Related
I want to pull my most recent images from facebook's api for my personal website. I cannot seem to find a way to only authenticate my user without the login dialog. Does anyone know if this is possible? I can generate my user access token inside the graph API Explorer, but it expires in 1 hour.
How to get my own Facebook user access token indefinitely
You cannot!
But you can extend this token that will be valid for 60 days - called the long-lived token. So, if a user visits your application at least once in 60 days you can have the access to user's data indefinitely.
Simple call to get the long-lived user access token-
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Refreshing this token- The user have to go through the login process again (calling login API) to get the short-lived token and then perform the same exchange for a fresh long lived token with 60 days expiry.
You can also debug your token anytime with-
GET /debug_token?
input_token={input-token}&
access_token={access-token} // a valid user access token or app access token
I have this code:
$facebook->api("/oauth/access_token?grant_type=fb_exchange_token&client_id=".$facebook->getAppId()."&client_secret=".$facebook->getAppSecret()."&fb_exchange_token=".$user->getFacebookAccessToken());
it does not throw any exception, but it returns null. I am trying to extend a short-lived Facebook User Access Token to be a long-lived Facebook User Access Token. However, after I have generated a new token and calling this request while the new token was still alive, I have waited for a few hours and started a browser where I was not logged in with my facebook account. Then I have logged in with a test user (to the application, not to Facebook), but unfortunately it was directing me to the Facebook login, which means that the Facebook User Access Token was somehow invalidated.
I was working based on the doc found here.
So, can someone enlighten me how should I send the request so Facebook will really extend the token's life cycle? Also, I am not sure how can I determine whether I have successfully extended the life cycle of a Facebook User Access Token. (I am not a Facebook fan, to say the least and I am new to the Facebook API too).
Thanks, guys.
EDIT:
I have read this article and copied the setExtendedAccessToken method into my class with a few modifications to support my logic. Now the code which tries to extend the life cycle of the User Facebook Access Token is as follows:
$facebook->setExtendedAccessToken($user->getFacebookAccessToken());
Now it returns an array of two elements, the token and the expiry date. The expiry date is "5174078". I believe I am on the right track to solve this problem, am I?
Here's what I think you should be doing:
An FB user, logged in, comes to your site and you get a short-lived token for them via the client side flow in the Javascript SDK or a long-lived token via the server-side flow with the PHP or some other SDK (it appears you are doing the first of these already)
If it was a short-lived token, extend it and get a long-lived token via the API call to exchange the token (it appears you're doing this too)
Save long-lived token to your database (not sure if you're doing this)
When the user comes back to your app at some other point, logs in to your app via your own login system, but is not logged in to Facebook, you use the cached token from your database in ->setAccessToken() and then make calls to the Facebook API on their behalf
i think step 4 is your problem; I suspect you're seeing the user is logged-out of Facebook and sending them through the Facebook auth process again instead of having them log into your app via your own login mechanism, and reusing the token you stored before.
This is perfectly fine, but in that case there's no need for you to store the tokens, and you could do this all 'live' and require your users to be still logged into Facebook to fetch a new token 'live' instead of caching the token you obtained on their previous visit to your app.
Just as an FYI cause I've been stumbling around with access token for the last 45 minutes. Via facebook's documentation:
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
which seems to be a little dated, I was able to manually extend my existing short lived access token with:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
When an event is created on our system I want to create the event on Facebook via our page. This is an entirely server-side process with no user interaction.
I've linked my page to my app, grabbed the "app token" for my application from https://developers.facebook.com/tools/access_token and tried to create an event by POSTing to /mypage/events but I just get (OAuthException - #1) An unknown error has occurred.. I'm assuming app tokens don't have access to create events for my page.
I can use a page token but this expires after 60 days and I'll have to keep updating the token. Is there a way to have this token last forever? I can renew it in code but it requires a user access token.
What's the best way to go about this?
You cannot use an app token to create an event on behalf of a page. You must use a page token and if you follow scenario 5 listed at https://developers.facebook.com/roadmap/offline-access-removal/, the page token will have no expiry.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.
This page mentioned
The duration for which a given access token is valid depends on how it
was generated
But I failed to find any further information.
Anyone has insights on how this determination process works in detail?
The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token.
In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically.
When that expires you have to send the user to re-authenticate in the same flow (code exchanging).
You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.
As I understand it, this is the basic process for new Facebook iframe canvas apps using the OAuth2 API in a nutshell:
Redirect to (or have user click link to) app's authorization URL
User authorizes and is redirected to your callback URL
Callback uses "code" parameter to get a access token
Access token is used with Graph API to pull or push information
The problem is that access tokens expire relatively quickly and need to be "refreshed", so my questions are 1) how do you detect that the token has expired aside from trying to use it and simply getting an error? and 2) what is the best practice for obtaining a new token?
Currently, I just detect that there was an error trying to get the user's information with their access token, then redirect to the authorization URL again -- since they already authorized the app a blank page flashes by and they are redirected back to my app callback where I get a fresh token. It's so clunky I can't believe this is the proper method.
The only way to tell if a cookie is valid is to use it and catch the error if it is expired. There is no polling method or anything to check if a token is valid.
To get a new token, simply redirect the user to the authentication page again. Because they have already authorized your app they will instantly be redirected back to your app and you will have a new token. They won't be prompted to allow since they have already done that.
In short, there are no tricks to this. You are already doing it correctly.
Recently, facebook has made some changes to access tokens which allows them to be refreshed periodically.
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
For more details, check here: https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal
//you just need more step because the access token you are getting will expire in 1 hour
//you can overcome this in step 5
1-Redirect to (or have user click link to) app's authorization URL
2-User authorizes and is redirected to your callback URL
3-Callback uses "code" parameter to get a access token
4-Access token is used with Graph API to pull or push information
5-exchange short-lived access token you just got with 60 day access token
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
6-after 60 day the user must login again to your app and the steps from 1-5 will be repeated.
--the real problem you will face is how to make the user visit your app page again
Facebook has removed the feature of refresh the access token on the "behalf of" mode. The best and easy way is to redirect the user to facebook login page to re-oauth the app.
Find facbook doc here
if user has already authorized your application and access token expired. you can redirect user to authentication page again. but oauth dialog doestn't show because user already authorized your application. he will redirect to redirect_url parameter you used.