I'd like to preface our problem by saying we are using a server side flow to get the oauth tokens, therefore getting long lived tokens by default.
The problem: We've noticed through newer users that when they log out of facebook(from anywhere) the oauth tokens we have saved for them become deauthorized. However my facebook account, and others at our company, are not deauthorized when they log out. What could account for this difference?(Note: On my facebook account I've tried removing our application so I could 'start from scratch' so I don't have offline_access or anything like that).
Ideally our users would not be deauthorized when they log out.
Thanks for any insight,
Luke
EDIT: These tokens also expire within a couple hours. it seems like we might be getting short lived tokens even though we are obtaining them through the server side?
It seems there was an issue with application within Facebook, we created a new application listing in Facebook and migrated to using this new client id and we have not seen the error since.
Just responding here in case anyone else encounter this issue.
Related
I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
Good morning all,
I've got a Facebook application that my customers use as part of our service which with their permission posts content onto their companies page.
It works fine with my account to my company page wall but all my customers are getting an 403 error. I've checked their access tokens and it's not working with much luck.
I've Google around and I'm wondering if my application has been blacklisted or whether it's had a restriction placed on it. We used to utilise offline_access and we didn't realise there was a change to Facebook's policies for a while after this change came into existence. We've since updated our application to require our customers to revalidate their access tokens every month.
Our application is called "Testimonial Monkey" (Id: 155266164542877)
Thanks for your help
Sam
Try to check if you have enough authority to execute an API in / user-id/permissions.
Otherwise you need to get additional permissions for your application.
a link
Hope that help
I have a Facebook application that does scheduled posts on fan pages.
To do this, the app acquires an OAuth token to use for posting on the page. To get this token, the user needs to visit the app. However sometimes Facebook invalidates these tokens, at least if the user changes their FB password and it seems in some other security-related cases too.
When this happens, the app will fail to post the scheduled post and users are unhappy. How should I resolve this? I could email the users when their token expires, but how would I detect the expiration? Given I have 100,000+ users, it would be expensive to poll the tokens very often.
Well do directly answer your question, here you go: Facebook Debugger
Enter the Access_token there to check its validity and other info. But I know that wouldn't solve your problem in general. I can help you in the right direction.
You see token validity is affected by the permissions you asked from the user. There is this offline_access permission that gives you an access token that won't time-out, not the regular hour-long tokens. And I'm sure you know this since you're already able to schedule user posts.
Unfortunately, offline_access is now deprecated by Facebook (see this link). From now on, Facebook will give us 2-month access_token by default, even without the permission. From then on, we'll need to "refresh" or extend the access token. Read more on that link.
And about your problem in use changing password, logs out, etc, Well Facebook has its own dedicated blog post about it as well, see here.
If you wanna take the path of checking token validity yourself, you can setup a CRON that runs every hour or everyday (depends on you), and do a quick API call for each token (/me). If it fails or generated an error, token expired.
Much better if you'll do it every minute: 10 to 20 tokens to check, so it wont have a heavy burden on your server doing 100,000+ calls in one execution.
EDIT from #avs099: I'm starting the bounty on this post as I have exactly the same issue. I summarize the problem here, and leave the post itself without any changes at the bottom for the reference.
What we have: Facebook page access token, obtained as described here: Authenticating as a Page and which live was extended to 60 days with new fb_exchange_token request.
What is the problem: this token works for some time - sometimes I can post hundreds of photos to my fan page in the period of several days; sometimes it's literally few photos - and then I start getting either
(OAuthException) Error invalidating access token: The session has been
invalidated because the user has changed the password.
or
(OAuthException) Error invalidating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
exceptions from the Facebook - but of course I did not do change password or deauthorized the app.
Additional information: Not sure if that matters but:
Sometimes I start using token few days after I request it from the Facebook
Token is requested (by the C# backend) from the server
which is located in a different geographical region from the desktop
app which posts photos to the fan page.
It happens sometime that several different desktop apps post photos from different PCs (i.e. different IPs I guess)
Anybody has a clue what's going on and how to resolve this?
Thank you.
I have a facebook app that serves two purposes:
1) Allows users to facebook connect with my site
2) Allows my site to post to my sites facebook fan page wall
What I'm concerned about is the 2nd usage. I used to be able to set the permissions for an app on a fan page to just allow posting (via the php sdk) without any concern about an access token. Now I've created some new fan pages and that functionality seems to have been removed. Alright, so I go through the whole process of getting an access token (successfully) for the user (always me or another admin of my facebook fan pages) and use that token to get the access tokens for the fan pages I manage (I have the manage_pages permission and so do the other admins for the pages I want to post to). However by the engine gets around to posting content to my fan pages the tokens have expired with one of two error messages:
Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
or
OAuthException: Error invalidating access token: The session has been invalidated because the user has changed the password.
But this isn't an access token dependent on outside users, only internal people (me and one other guy right now). We aren't changing our passwords or doing anything. I've even tested it by logging out of facebook after acquiring tokens and it works fine. It's just after a little while they expire for no reason that I can determine. When I get the tokens I can check them on the debugging tool and they are supposed to last 60 days (according to the doc) although the tool says they never expire.
I've set up the system so when it fails to post to the page I get an email with the link to my site to update the tokens.
Anyone have a clue what's going on?
As Mikhail pointed out, if you get an error reporting that the token is invalid cause user has changed the password. Odds are you are requesting a new token somewhere hidden in the code, when you already have a valid one.
Possibly related to this bug? https://developers.facebook.com/bugs/241373692605971?browse=search_4fb4832bcaf7b1549293950
I have the same problem in my app - sometimes tokens expiring.
One of the find reason: sometimes my app ask for new token while old token is valid and FB return an error or i couldn't save new token for some reason.
After that old token expire - only one token for pair user-app may be valid.
You can fetch the unauthorized token so a new token is requested (or whatever you like).
I can provide a nice explanation but you can read it all here:
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
A temporary solution is to ask the user to delete the application from it's profile, and allow it again.
I had same problem and resolved it "reinstalling the app to users facebook applications". it may help you if nothing answers to problem.
To do that:
facebook user who is facing the problem goes to its facebook page
he/she removes your app from his/her application list.
Retry to login via facebook sdk on android.
I have recently started getting this error while posting to facebook newsfeed stream
of an app user,
I do have an offline access permission for the access tokens, and they worked
fine previously.
This error is coming for 30-40% of the users.
"Error validating access token: Session does not match current stored session.
This may be because the user changed the password since the time the session
was created or may be due to a system error."
It's possible for your access token to become invalid for a variety of reasons (expiry time passed, user changed password, user deauthorized your app, user logged out of Facebook, etc.). You should always design to account for this scenario.
If your users are active, it's easy to get a new access token from the OAuth endpoint without them having to do/see anything. If not, you should make a plan (such as emailing them) for how you will get them to return so you can get a new access token. The scenario you're describing is not necessarily unusual. You can find some code samples here for help on how to handle expired access tokens.
This is undocumented but I just tested it and it works with expired access tokens. Should work on access tokens that have been invalided if you know their user id, and they haven't revoked privileges to your app. First, you can verify that you still have have the permissions you need by calling using this url:
https://graph.facebook.com/userID/permissions?access_token=appID|appSecret
If you still have publish_stream permissions, you can issue a HTTP POST to this url:
https://graph.facebook.com/userID/feed
with post parameters of access_token=appID|appSecret&message=test message
There seem to be a lot of questions about why your token would have expired so quickly. I think I can shed some light on that. Here are a number of scenarios I have found which cause this:
There is the obvious one; the user changed his password. There is nothing you can do about this. They will need to reauthorize your app. The rest of these scenarios deal with page tokens, which are similar to a token for a user profile, except they come from querying /me/accounts with the user token of a valid administrator for the page. These seem to expire much more frequently.
It seems that if ANY administrator of a page changes their password (not necessarily the one who's token you are using), this can cause the token to expire. Also, if you have some pages in your system with the same administrator, calling /me/accounts often refreshes ALL of the tokens for the pages this user administrates. That means if you are connecting a new page for a user with existing pages, you will need to update the existing page tokens with the new ones provided by /me/accounts.
Finally, the way I deal with this in my system is to store the admin user and token as a parent of the page token in my database. This way when I need to reconnect a page or add a new page, the system can lookup and update any related page tokens received from /me/accounts. It also allows you to automatically attempt to refresh the token by calling /me/accounts when you receive the expired token exception.
Hope some of this helps!
Check out the blog post officially from facebook: How-To: Handle expired access tokens
The offline session token is changed whenever a user changes his password. If a previously working session suddenly stops (and you're getting that error) then the user's password was changed (probably by the user) and you will need to re-prompt them to grant you offline access and save the new session token you get.
I also faced this issue while accessing the post comments from my command utility. In my case everything was working fine, until suddenly I got the error:
The remote server returned an error: (400) Bad Request.
After diagnosing the problem, I found that the Facebook access token is expiring after a period of time even though I created it with the offline_access option as below:
https://www.facebook.com/dialog/oauth?client_id=[APPID]&redirect_uri=[URL]&scope=user_photos,email,user_birthday,user_online_presence,offline_access
After wasting of lots of time on RND, I found that there is an option in the app's Advanced Settings for Remove offline_access permission. My client had enabled it, and that's the reason my token was expiring. Have look at the image below:
In my case I had to generate a new page access token because I changed my Facebook password.
You can do that by going to https://developers.facebook.com, click on your app, see the menu on the left, choose Messenger, then Settings, then scroll to Access Tokens, click Generate token, copy the token and paste it into your configuration file.