I'm using the extended access token system to extend oAuth tokens issued by 60 days. This system is working well however one user was reporting that they had to keep resigning in. When debugging his access token these were the results:
Application ID
54321
Application
User ID
12345
Joe Blogs
Issued
1358275114 (21 hours ago)
Expires
Never
Valid True
Origin Web
Scopes email friends_events manage_pages publish_actions rsvp_event user_birthday user_events user_location
Facebook deprecated offline_access in October which was supposedly the only way to generate such a "never expiring" access token. To confirm my question: why am I seeing a never ending access token and one that does not expire in 60 days?
That access token has manage_pages permission - if you obtained a 60 day user access token, then used that to retrieve a page access token, the user access token linked to the (infinite) page access token also becomes non-expiring
See Scenario 5 on https://developers.facebook.com/roadmap/offline-access-removal/ for details
Related
Could someone say how can i extend the validity of the access token. The permission which i am giving to access token are manage_pages and publish_pages
At the moment, the answer is that unfortunately you can't (until further notice from Facebook).
Currently Facebook has been locking down this ability due to the security issues they are having. Until yesterday afternoon you could even cheat and create a "never expire" access token using a loophole. But as of today they have locked that down as well.
The 1 hour expiry is because it is a short lived token. You want to then request again with your secret so that you can get a long lived token that expires in 60 days. Explanation from FB devs is here: https://developers.facebook.com/docs/facebook-login/access-tokens
After I read the graph api documentation, I understood the usually a regular user token has around 2 hours validity, and you can extend it for another 60 days.
I started to test the graph api, and I generated a token for my personal facebook acount using my own fb application.
I was surprised to find out the this token has the expiration date set to never.
Please have a look over the print screen which contains debug info about the token.
So the question is: why my token doesn't expire in a few hours as is specified in the graph api documentation ?
why my token doesn't expire in a few hours as is specified in the graph api documentation ?
That’s a “side effect” of manage_pages permission.
Extended page access tokens do have unlimited validity. And page access tokens still need to be tied to the user that created them somehow (if the user is removed as admin for the page, the page token needs to get invalidated as well) – so for implementation reasons Facebook chose the way of making the user access token have unlimited validity in this case as well.
Is it possible to generate an access token to read the feed of a facebook account, where the access token never expires.
From what I understand 60 days is the maximum if the initial login access token is exchanged.
Is it possible to go longer than 60 days?
Now that offline_access is no longer provided, the answer is NO.
There used be a permission called offline_access that let access token works longer for period of time, but it is removed now. Short-term access token and long-term access token are introduced, instead.
When you redirect your potential user to Login Dialog and the user complete his login and app authorization process, user is redirected back to your web page. That's where you get code parameter and you will exchange it for short-term access token, which stays valid for about 2 hours. That should be enough for login purpose.
If you wish to store the token for later use you should acquire long-term access token. I believe this is the one you mentioned. This token lives up to about 60 days as you already figured out and it is the longest.
I'm an admin for a Facebook page I want to handle a server side job scheduler which post every specific time into that Page using Facebook Graph API.
I'm using this code to do that job: $facebook->api("/$page_id/feed","post",$args); and it is working fine for me.
But I have a problem related to Page Access Token. I need to have a permanent Page Access Token to work forever not to update the access token every specific time because it will be server side job scheduler, no GUI for it.
Any suggestion about how to get Permanent Page Access token?
Note: I followed the steps in Facebook documentation
but I have 3 wanderings about it :
Shall I have Facebook app to get Long-Lived Page Authentication ??
I don't have that option on my Facebook app advanced setting
"deprecate offline_access" ??
Is the 60 days is the max valid duration which I can give it to Page
Access Token .. can't it become permanent for ever ??
Earlier people could use offline_access permission to obtain a permanent token. But it looks like Facebook is deprecating this particular permission. Instead, you first need to obtain a short-lived token, then exchange it for a long-lived token, which remains valid for 60 days. Same goes for page tokens.
When a user grants an app the manage_pages permission, the app is able
to obtain page access tokens for pages that the user administers by
querying the [User ID]/accounts Graph API endpoint. With the migration
enabled, when using a short-lived user access token to query this
endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access
token using the endpoint and steps explained earlier. By using a
long-lived user access token, querying the [User ID]/accounts endpoint
will now provide page access tokens that do not expire for pages that
a user manages. This will also apply when querying with a non-expiring
user access token obtained through the deprecated offline_access
permission.
https://developers.facebook.com/roadmap/offline-access-removal/
If a user gives my app the offline_access permission, approximately how long will the OAuth token last for? The documentation simply says:
"By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived."
How long specifically would this token last for? Would it be active 24 hours later?
If I recall correctly, the access token returned when requesting the offline_access permission will remain valid until the user revokes the offline_access extended permission from the application, or the user specifically removes the application. Effectively making it a permanent token.
However, this should always be taken with a grain of salt. Facebook allows themselves the freedom to be able to change their policies at anytime and the 'long-lived' wording of the description allows them to invalidate the token at any time. It is recommended that your application handles the scenario of the token becoming invalid as it will cover the user removing application access and the token being invalided for some other reason.
Some helpful information from Facebook here on handling expired access tokens:
https://developers.facebook.com/blog/post/500/
Note that an access token can also expire if the user changes their password or deletes their Facebook account.
Your client (web, iOS, etc) should make a habit of checking for a valid access token & reprompting the user to authorize if the token has expired.