With offline_access being deprecated is it possible to store a user's access_token and post to that user's wall sometime in the future?
Yes it is, but if you want to make those tokens useful in more than one or two hours (default expiration now), you need to exchange them for a long-living one (60 days lifetime).
There's a manual page dedicated for this permission removal, the part that you are interested in is the Scenario 4: Client-side OAuth and Extending Access_Token Expiration Time through New Endpoint. It comes down to simply adding one more http request on the server side before saving the token for later use to this endpoint:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
The result should be an access token and an expiration time somewhere near 60 days.
Related
I have a strange problem with Facebook Oauth access_token endpoint:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
The documentation here (in "Scenario 3") said:
"If the call is made while there is still a valid long-lived user access_token for that user, the returned user access_token from this second call may be the same or may have changed, but in either case the expiration time will be set to a long expiration time."
If I obtain a valid long-lived user access_token, this endpoint returns the same access token I already have and expires parameter too but only for a short period.
So if I repeat the same call to the above andpoint with the same access_token after some time (few hours for example) it returns only the access_token without the expires parameter.
...so I can't establish when my access_token will expires.
Note that the access_token returned is still valid and it works perfectly.
Have you experienced the same issue?
Do you have any suggestions?
Thank you!
We're experiencing the same problem. I'd advise recording the expiration time in your database. Not the seconds to expire, of course, but the actual date/time of expiration.
We, too, will be sending an email to request the user renew their token. If there's another way to make that request, we're also interested in knowing about it. Asking the user for yet another thing (their email) doesn't sound like a good idea.
Facebook has deprecated the offline access permission.As a developer is there some other way for me to post on the wall of a user when he is not online or I can do that only when he is accessing my app?
You can increase 2 table columns in your app namely short_access_token & long_access_token.
Once user authenticates your app, an access token is generated, store it in short_access_token. Then pass this access token to:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Once you run this, an access token with 60 days validity will be generated. Store it in long_access_token. Now, use this long_access_token for 60 days.
You can generate long lived access token only once a day i.e. the first time. Use this long lived access token to post on user's wall (if you've already got the permission).
Ref: https://developers.facebook.com/roadmap/offline-access-removal/
You can post to a users wall, without that user being logged in, for up to 60 days. After that, you will need to force the user to login to Facebook again and get a new 60 day access token.
To do all this gracefully, you should store the date of the acquisition of the token in your DB, and set up the necessary UI for the user as that date approaches.
In addition, if the user is an infrequent user of your application, you should really test the validity of the token at least once a day, and go redirect them to login to Facebook if your app finds that the token has expired. This also helps re. tokens becoming invalid due to the user changing their Facebook password.
Of course you can post to a user’s wall as long as you have a valid access token – no matter if they are “online” or not.
Stuff to read (clearly looks like you didn’t do much research of your own before asking):
https://developers.facebook.com/roadmap/offline-access-removal/
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
Currently I am working with long-lived access token (60 day expiration long-lived).
I see a post in facebook I can extend long-lived access token by first getting back short-lived access token and then renewing it to new long-lived token.
I hope this can be done without user getting involved. (user doesn't have to log in and give the permissions again for this process)
Has anybody done this in c#?
It would be greatly appreciated if you can share code or link.
Here is the instruction from facebook website:
"If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first and then call the same endpoint below. The returned access_token will have a fresh long-lived expiration time, however, the access_token itself may or may not be the same as the previously granted long-lived access_token."
And here is some example posted right below the instruction which I am not familiar with how to use:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Website source: http://developers.facebook.com/roadmap/offline-access-removal/
[…] y first getting back short-lived access token and then renewing it to new long-lived token. I hope this can be done without user getting involved.
No, of course it can not, at least not without any user interaction.
You have to at least have the user visit one of you pages, where you can check his login status client-side and get a short-lived access token in return if he is still connected to your app.
At this url, Facebook explains how to authenticate using Facebook Connect.
Basically, the steps are the following:
Redirect to facebook as the example. As a result I'll get an authorization code
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=email,read_stream
Do a HTTP post to the following address, asking for an access_token
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
Facebook will answer the last HTTP post with an access_token. Fine.
The access_token received above expires. The number of seconds it will still be valid is returned along with the access_token. Ok.
The problem is: What should I do after it expires?
From Facebook oficial website:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token
Wait! I can't re-run the steps above because in order to obtain a new authorization code I would have to redirect (step1). I don't want to redirect. I want to obtain a new authorization code through a web-service. The user already authorized my application and I won't have an oportunity again to redirect him or her.
What should I do?
PS: Thinking logically, I wouldn't need to gain a new authorization code after access_token expires. A new access_token would be enough. But, as I showed, facebook says authorization code also expires.
You would want to use the "offline_access" permission. This allows the token to be long-lived. See the permissions page: http://developers.facebook.com/docs/authentication/permissions/ .
Since they've removed offline_access, Facebook provided a way to extend the expiration of existing short-lived tokens.
Just make the following request:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
And, about the expiration of long-lived access tokens,
Currently the long-lived user access_token will be valid for 60 days while the
short-lived user access_tokens are currently valid from 1 to 2 hours.
For more information, please refer to https://developers.facebook.com/roadmap/offline-access-removal/
Users login Facebook on my website via an URL that redirects them to
https://graph.facebook.com/oauth/authorize?client_id=116908145XXXXXX&display=page&scope=offline_access&redirect_uri=http://localhost:8000/account/services/?service=facebookcallback
On the callback page I make a request with the code I receive to get the access token, at this URL
https://graph.facebook.com/oauth/access_token?code=2.3m2hLauQJpWTGFExUK6O3w__.3600.1290081600-100001796185871%7.....&format=json&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Faccount%2Fservices%2F%3Fservice%3Dfacebookcallback&client_id=116908145040447&scope=offline_access&client_secret=...
The response I get is this
access_token=116908145XXXXXX|2.3m2hLauQJpWTGFExUK6O3w__.3600.1290081600-100001796185871|S3MG...&expires=3912
As it can be seen from the token it has an expiration date.
The token expires some hours after the request. Shouldn't I receive an access token without expiration date if I make the requests with scope=offline_access ?
Old post, but the info might be useful for someone else.
Facebook now disables offline_access by default. You must enable an app migration if you still want to use it.
With the migration off, tokens will be "short lived" and last only an hour or two. You can get an extended token which lasts about 60 days by making a request to
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
See this page for more details
tokens you get with offline_access permissions, are "long-lived" as facebook says in their documentation, but it is not said that it has no expiration / infinite. Even if you get this not-time-bounded access_token, it can still expire if the user changes his password or if he removes your application.
But to answer your question directly, yes you should get a long-lived access_token using "scope=offline_access". Also, please check if the dialog showed "Access my data anytime"