Do Facebook Oauth 2.0 authorization code Expire? - facebook

The Facebook OAuth Access Tokens Expire after a specified period, but what about Facebook OAuth authorization code? does it expire? (it does not say?)
Reference:
https://developers.facebook.com/docs/reference/dialogs/oauth/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#page-8

The authorization code has an expiration.
From the docs : Now that your app has authorization from the user and the code parameter stored as a variable, it should immediately exchange it for a User access token that can then be used to make API requests
The following post also mentions a facebook update informing about authorization code expiration :
OAuthException: This authorization code has been used - Facebook

Related

Manual Facebook login for website - Inspecting Access Tokens

I referred this Facebook page Manually Build a Login Flow to build a login script for my website.
Here is the summary of steps from the page above:
Get authorization code
Exchanging Code for an Access Token
Inspecting Access Tokens
Query Graph Api
On the third step Facebook requires the below parameters
(I used the access token from step 2 here)
input_token {token-to-inspect}
// An app access token or an access token for a developer of the app.
(Should i use my FB app id ?)
access_token {app-token-or-admin-token}
What should the access_token contain? I inserted my FB app id but got the below response
HTTP/1.1 400 Bad Request
WWW-Authenticate: OAuth "Facebook Platform" "invalid_token" "Invalid OAuth access token."
Not sure if the error is due to expired user access token or because of wrong input parameter.
I read further and found this page about app access token
You can either generate an app access token
curl -X GET "https://graph.facebook.com/oauth/access_token
?client_id=your-app-id
&client_secret=your-app-secret
&redirect_uri=your-redirect-url
&grant_type=client_credentials"
or set access_token parameter as below
access_token=your-app_id|your-app_secret
I tried the latter your-app_id|your-app_secret and it worked.

validate the access token obtained from the linkedin Rest API

I have a mobile application talking to a backend. I am providing login to the app through LinkedIn. I checked the linkedIn api for oauth authentication and have followed the steps as given in this link
Oauth LinkedIn.
I am able to obtain the request token as per step 3. Now i am sending this request to my backend. In the backend i want to make sure that this request token is valid and has not expired.
How do i achieve this ? In FB authentication, they have provided an end point to which i post the access token (https://graph.facebook.com/app?access_token=)and it gives the expiry time, validity of token etc.
How do we do this with LinkedIn api, i searched their documentation, but no luck. Any help will be appreciated.
Thanks
There's no separate API that LinkedIn provides to inspect the token. However you do get a hint about the token expiry back in the response from the token endpoint when exchanging the code for an access_token in the expires_in parameter, e.g.:
{"access_token":"<>","expires_in":5183999}
which tells you that it is valid for 60 days. You could store that information together with the access token.
You can use "Token Introspection" endpoint to check the validity of your access token at any time.
https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection. Use Refresh token to refresh it before it expires.

Retrieving User Token (found in Access Token Tool) via code C#/PHP

I have a Facebook app and I can retrieve the App Token by calling
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
as specified on the Authenticating as an App page. I see this app token is also available in the Access Token Tool page along with a User Token for the app. I need the User Token in order to do a /USER_ID/accounts on users that have already approved my app with the manage_pages permissions.
Basically I wish to post to a users Facebook page when they submit an article to my app. Some users are in locations where Facebook is blocked, thus I can't use the regular Javascript SDK.
Edit 1: I understand the concept of user access tokens and retrieving them via the SDK with the OAuth redirect. My question is in regards to the User Token for an app as seen in the Access Token Tool page, not a user access token (which requires client access to Facebook)
In order to get a user token without using the javascript SDK, you need to authenticate the user using the OAuth dialog redirect. Essentially, you prompt the user to fetch a code from Facebook that you can exchange for an access token. At this point you should store the access token and re-use it for all requests that require authentication. Keep in mind though that you will need to detect when the token is expired or invalidated, and if so you will need to re-issue the authentication redirect & token exchange process.

ColdFusion Facebook Integration

I have an app with a login screen with a button that invites users to login using facebook.
That authentication part of the integration works fine. I have also parsed the returned cookie variable to obtain the userID. The next step is to obtain the users information.
I found this stackoverflow article Difficulty parsing string with Facebook one click sign on and ColdFusion which says
Once you get parsed signed_request (stored in your cookie) you can use
user_id (which is Facebook User Id) and oauth_token (aka access_token)
to get needed info via Graph API or FQL.
But, how do you obtain the access_token the poster speaks of? It is not in the cookie variable (that I can see anyway).
Sorry for being such a noob. I got twitter working easy. Facebook is a pain.
https://developers.facebook.com/docs/authentication/ is your friend. Read the server side flow section.
"If the user presses Allow, your app is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code:
http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER
With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.
In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token. The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).
https://graph.facebook.com/oauth/access_token?
     client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
If your app is successfully authenticated and the authorization code from the user is valid, the authorization server will return the access token:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission."

How can I obtain a new 'authorization code' without an HTTP redirect?

At this url, Facebook explains how to authenticate using Facebook Connect.
Basically, the steps are the following:
Redirect to facebook as the example. As a result I'll get an authorization code
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=email,read_stream
Do a HTTP post to the following address, asking for an access_token
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
Facebook will answer the last HTTP post with an access_token. Fine.
The access_token received above expires. The number of seconds it will still be valid is returned along with the access_token. Ok.
The problem is: What should I do after it expires?
From Facebook oficial website:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token
Wait! I can't re-run the steps above because in order to obtain a new authorization code I would have to redirect (step1). I don't want to redirect. I want to obtain a new authorization code through a web-service. The user already authorized my application and I won't have an oportunity again to redirect him or her.
What should I do?
PS: Thinking logically, I wouldn't need to gain a new authorization code after access_token expires. A new access_token would be enough. But, as I showed, facebook says authorization code also expires.
You would want to use the "offline_access" permission. This allows the token to be long-lived. See the permissions page: http://developers.facebook.com/docs/authentication/permissions/ .
Since they've removed offline_access, Facebook provided a way to extend the expiration of existing short-lived tokens.
Just make the following request:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
And, about the expiration of long-lived access tokens,
Currently the long-lived user access_token will be valid for 60 days while the
short-lived user access_tokens are currently valid from 1 to 2 hours.
For more information, please refer to https://developers.facebook.com/roadmap/offline-access-removal/