Is it possible to force a Facebook access token to expire in the new 3.2 Facebook SDK? I need to test the auth logic in my iOS app.
I know this has been asked in the past.. but all answers I have found are not relevant.. as Facebook keeps changing their API.
Thanks.
An easy way to force expiration of an App Access Token is to revoke that App's permissions in the user account (deleting the App from your FB account settings). That token becomes invalid immediately. Note that upon reauthorization of the app, it's likely that you'll get the same token back, just that it'll be valid this time 'round.
Jai's answer is a great way of doing it, here is a programmatic way of clearing your session.
Try this line of code:
[FBSession.activeSession closeAndClearTokenInformation];
Changing the user's password on Facebook also invalidates the token. I'm seeing some edge-cases, however, where the different auth errors behave a little differently. If anyone knows of a way to forcibly expire the token, that would be helpful.
Related
I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
I have a problem in using facebook api.
My customer makes my facebook user admisistrator of his facebook product page.
I use a java engine which is scheduled for retriving this page insight data.
As it is a java angine, ther is no "human" user who can perform some actions (a login for example).
For this reason I used an offline_access token so i could retrive data, for example, in this way:
https://graph.facebook.com/MY_PAGE_ID/insights/page_fans/lifetime?format=json&access_token=MY_OFFLINE_ACCESS_TOKEN.
This works ok but...
...offline_access is now deprecated and I want to change my code to obtain access token in the right way.
It seems there is no way to autenticate my user programmatically and obtain an acces token which gives me the possibility to perform the above insight data request.
So, it seems that with offline_access deprecation, i have no way to perform my insight request! :)
How can I solve this problem?
How can I obtain a correct and working access_token?
Please help me!
Thank you very much.
As long as you've enabled the "Deprecate Offline Access" setting in the Settings for your app at developers.facebook.com then all tokens will be automatically issued for 60 days.
On May 1st Facebook will be switching "deprecate offline access" on for EVERYONE so it will become the default setting and all access tokens will be issued across the board with 60 day expiration time.
I'd look at the documentation page "Authentication for devices without access to a browser" which seems to most closely match your use case.
http://developers.facebook.com/docs/authentication/devices/
without offline_access the access token returned will still be valid for 60 days ... so one approach would be to trace the expires time and then renew the token as needed... my personal opinion is that asking user to reenter login data every 60 days is more than acceptable
Details here https://developers.facebook.com/docs/offline-access-deprecation/
After authorization with scope : offline_access. It is possible via application to post to wall, or perform any other allowed operations at any time, even if user was logged out some days ago, using the access_token?
I'm asking, because I couldn't post to wall after later, facebook does not allow that.
Facebook will return the code value and with the help of of that you can get the access_token which you must have to store in database for future use. That access token has no expiry date so you can use that any time in future.
It can be possible that user might have remove permission to posting on his wall after granting the access from your application. but it will going to ask that user again when he's going to access the app next time.
Thanks!
What is the error that you are getting? offline_access give an access token with infinite lifetime unless the user changes the password or removes your app. So you need to save this offline token (although not recommended-security) and use it later on.
As per the developer road map - offline access is being deprecated. So whats the alternative ?
I know we can get extended token that will expire in 60 days, but how about the offline access ? The documentation isnt clear about weather this token works on or not when user is not logged in.
See FB.logout It says calling FB.logout will invalidate any existing token unless you have offline_access permission, How does this affect to new extended token ? If it invalidates the extended token as well, is there any alternative.
The old offline_access permission would let the app make calls to graph API even when user isn't logged in, does the extended token work in same way ? if not what's the alternative ?
There will be no way to get requests on behalf of users.
You're app will also be vulnerable to the user logging out. We are still in under the temporary offline_access but as soon as the user logs out of their browser session on facebook the credential generated at the time is no longer valid. It's a huge bummer for async apps.
I have been asked to look into whether or not I can retrieve a Facebook access token from Facebook if the user had granted permission in an earlier session. The problem is that our business logic tier is maintained by a different group and is on a different release schedule from the web development group. If I were to gain an offline access token, I might not be able to store it for up to two months. For any users acquired in the meantime, is there a way that I can retrieve the token from facebook without further intervention from the user?
I would think that this might be a security hole, but one of our senior developers thinks that it is likely that facebook offers such a feature.
Thanks,
Rob
In short No.
But with the offline access request being complete.
You can request a new token without any user clicking.
You just get a new offline access token and use that. The same way as if you didn't request offline access, and the access token had expired, it doesn't explicitly say but it does work:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
http://developers.facebook.com/docs/authentication/
That way you don't have to store them at all.
Unless you actually want to perform actions when the user is not using your Application.
You'll get the access_token every time the user logs back in, offline_access or not !
You can get it in JS with FB.getAccessToken();
There is no way to retrieve (offline) access token, when the user is not actually logged in.
If you want to store the access token for a long period of time, you will be required to ask for the offline_access permission, otherwise the access token will only last a short period of time. Either way, it is best to store it in a cookie or locally as it will certainly improve your app's latency. But make sure to check its validity as often as possible.
I think the access_token means, you have the permission to do things on behalf of the user. If you must do something without user FB login, you need the offline access_token. But be careful, the offline access_token will be ignored, when the user change his/her FB password, or delete the application.
So I hope there isn't any way to get another access_token without the user permission. I think the easiest way to check the access_token to make a /me?access_token= GET request, and check the answer. If the answer is an error, the access_token not working, you have to renew it.
To get access_token from somebody in the middle of the flow is a little pain. But you can also put variables to the redirect link.
Example:
https://graph.facebook.com/oauth/authorize?client_id=API_KEY&scope=email$redirect_uri=YOUR_REGISTERED_APP_URL%3F$param
$param could be a flow info like: flow=12342323
So when your user come back the $_GET['flow'] will be 12342323.