Please verify my understanding of extending Facebook Access Tokens - facebook

I have a an application which will make posts on multiple user profile pages and Fan Pages.
To obtain permission to do this, the app will process a client side auth and obtain the short-lived access token for each user who uses the app.
My app will then immediately exchange that for a 60 day long-lived access token, and store this for future use in a local DB. The app will then be able to update that users profile and pages for up to 60 days, whether the user is logged into FB or not.
The next bit is the important bit:
Each time the user uses my app, my app will test the validity of the current access token, in case the user has changed their password etc, or the 60 days have elapsed.
If the access token is no longer valid, my app will seek to obtain a new one.
If the user is not logged into Facebook at this point, it is my understanding that I will have to prompt a login and force a client side auth, to obtain a new short-lived access token which I will have to exchange for a new 60 day long-lived token.
Is this correct? ie that the user has to login again? ie there is not way to process the access_token update on the server side?
Also, is it the case the the 60 day expiry only applies in respect of user access tokens, and does not apply in respect of page access tokens?
thx

Is this correct? ie that the user has to login again? ie there is not way to process the access_token update on the server side?
No. You need a valid short-lived user access token first, and that you get through the process of client-side login.
Also, is it the case the the 60 day expiry only applies in respect of user access tokens, and does not apply in respect of page access tokens?
Correct, page tokens do not expire by default, if they where obtained using a long-lived user access token.

Related

how to extend long-lived Facebook user access token?

When I debug my Facebook user access token I see two expiration dates (Expires and Data Access Expires) as you can see here:
according to this link, token should expire 60 days after the last use but I'm seeing never and I don't know why! also when I exchange the user access token via this API, Data Access Expires does not change and I still get the same Data Access token Expires. My Facebook App is in development mode and I don't pass App Review yet. Also, I don't use FacebookSDK. do you know why I get never expires and why after exchanging the User Access token, Data access Expires doesn't extend?

Is there any dependency between the cookies from Facebook and Access_Token

I have created an app in Facebook and when a user is logged in using my app I am trying to get access_token using FB.getAuthResponse()['accessToken']. When I used Graph API Explorer option in Facebook to debug that access_token it showed that my access_token will be expired in one day. Now I am planning to store cookies from Facebook in order to make the user logged in as long as he needs.
My concern is like if my access_token expires in one day will it affect my cookie stored and ask the user to log in once again ??
If it affects cookies... Can anyone provide a solution ??
There is no direct conjunction with cookies and Access Tokens. The latter are use for leting users give specific permissions on their personal data with Facebook apps.
What you are referring to are so-called short-lived Access Tokens. You can exchange those into long-lived ones, whcih have a maximun validity of 60 days. Even the long-lived one can expire, which can be handled by resending the user to the login flow.
See:
https://developers.facebook.com/docs/facebook-login/access-tokens#termtokens
https://developers.facebook.com/docs/facebook-login/access-tokens#refreshtokens

Increase access token validity

Is it possible to generate an access token to read the feed of a facebook account, where the access token never expires.
From what I understand 60 days is the maximum if the initial login access token is exchanged.
Is it possible to go longer than 60 days?
Now that offline_access is no longer provided, the answer is NO.
There used be a permission called offline_access that let access token works longer for period of time, but it is removed now. Short-term access token and long-term access token are introduced, instead.
When you redirect your potential user to Login Dialog and the user complete his login and app authorization process, user is redirected back to your web page. That's where you get code parameter and you will exchange it for short-term access token, which stays valid for about 2 hours. That should be enough for login purpose.
If you wish to store the token for later use you should acquire long-term access token. I believe this is the one you mentioned. This token lives up to about 60 days as you already figured out and it is the longest.

Posting to Facebook on behalf of the user: how to handle token expiration?

I'm implementing a connect with Facebook/Twitter/... functionality on a website. The idea is that once a user connects his account with the external services our website could post messages on behalf of the user.
With Twitter there is no problem as the OAuth access_token doesn't expire. But with FB it does expire every two months, when the user logouts, changes password or explictly deauthorizes the app.
How should I handle the token expiration? For me it would be ideal if I could refresh the token automatically without bothering the user, but unless I've missed something it seems there isn't any way of doing this. So, right now I've two ideas:
The less akward way: every time the user logins to the website check if the tokens have expired and notify the user that she has too reauthorize the app.
The more akward way: every time the "post to social networks" event triggers in our website, check if the tokens have expired and ask the user to reauthorize.
The first option would be easier to implement and cleaner to the user.
So, how are you handling this situations?
Thanks!
I think that I'll trye the first option:
User logs in
The server checks if the user has already a Facebook token, if so:
Check if it's still a valid token. http://developers.facebook.com/docs/howtos/login/debugging-access-tokens/
If the token expired NOT because the user deauthorized the app BUT because the other cases we redirect the user to the OAuth endpoint.
I'll give it a try and update this answer if there is more to it.
If the user is actually interacting with your website, you should be getting a fresh access_token (read below). If you perform offline tasks related to the user using the Facebook API then you should be storing the access_token and their expiry dates. Then you need to handle expired access tokens and ask the user to interact with your app again and update your records.
You should refer to this document. Also you should be reading the Extending Access Tokens document:
Step 2. Refreshing Long-lived User Access Tokens
At any point, you can generate a new long-lived token by repeating the
original auth flow, obtaining a new short-lived token and then
performing the same exchange as above. In some cases, this newer
long-lived token can be identical to the previous one, but we do not
guarantee this will be true and your app shouldn't depend upon it.

Using FQL to schedule posts to stream

I'm trying to understand how to make scheduled calls to FQL queries without an authenticated user initiating the query. (Similar to a cron-job, I guess)
I've experimented with trying to implement cron jobs to make FQL queries but haven't had any success.
Could anyone please steer me in the right direction?
You have 3 options:
When the user enters your app use the client side authentication, get a short lived user access token and then extend it using the new endpoint for 60 days.
For those 60 days you can use that user token and do as the permissions the user has granted allow you to.
When the 60 days are over you'll need the user to reengage with your app to get a new token for another 60 days.
Use the server side authentication to get a long lived user token (60 days), then the same as in 1.
If you get the publish_stream permission then you can publish as the user with the app token which does not expire, as it states in Authenticating as an App:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
App Access Tokens generally do not expire. Once generated, they are
valid indefinitely.
You may not be able to use the 3rd option, it depends on what data you want to get from the api.
I suggest that you use the Access Token Tool to get a user and app tokena, save the app token somewhere and then test your queries in the Explorer Tool with the user token.
When the user token expires try the same with the app token to see if it can be used for what you need.