i'm wondering if it's possible to build a facebook app that runs as a background process. basically, i'd collect data on the user's facebook usage and email them a monthly report. the question i have is that since facebook has an auth token with a maximum life of 60 days, is this feasible? i wouldn't want to have to have the user visit a website every other month just to keep using the app.
it seems to me that this is similar to the twitter facebook app. once you authenticate, if you never visit twitter.com again (instead, opting to only use twitter clients), how do they continue to post to your facebook account? doesn't their auth token expire after 60 days? is there something i'm missing?
I believe you have to have some sort of user interaction to re-authenticate every once in a while.
What platform is your app being built on, facebook, mobile, webapp?
Related
I'm building an app which acts as a simplified layer of the Facebook Ads manager. It can create ads trough the Facebook marketing api.
There are also other services such as adespresso or manychat which offer such a service.
Now I'm wondering about the following: when a user in my app authenticates, I get a short-lives user-access-token. As far as I understand the documentation, there is no way of refreshing this token. The user would need to login again.
When I look at the above mentioned apps however, I stay authenticated. I don't have to re-authenticate each time I'm using the app. So does anyone have a suggestion of how to do it like them?
I want to create a Facebook app to be used in live events (ie: concerts, conferences, etc).
So the guests would enroll to the event connecting with Facebook Login and asking the publish_actions permission.
The guest will have an Access Card (RFID chip) that identifies himself and links in our database to his Facebook Access token.
Then, during the event, I would like that some actions made by the guests in the event to trigger some actions on Facebook, this actions will be triggered by different applications that communicate with our servers, our servers will comunicate with Facebook API to trigger actions on Facebook.
So when the guest does check in at the event, his Access Card is scanned by the event staff, and then should automatically post a message on his timeline indicating that he is at that event, sharing a link with more details about that event.
We also want to have a physical Photo Booth where the guest has his Access Card scanned, and then takes a picture that should be automatically posted on his timeline too.
So this is not the typical Facebook app flow, as the content is posted automatically by actions made by the user, but managed by our software instead of actions directly triggered by the user himself.
I'm not sure if this kind of application is allowed on Facebook and if it's allowed, how would the review process be done, as this can't be tested using a website or phone app.
Did someone make something similar or knows the best approach in getting this approved on Facebook?
Thank you!
The user MUST login with Facebook and authorize your App. People have tried those things with a specific device where people could login, but Facebook detects multiple logins on one device and may block your App. So the only way is to let people use their own device/smartphone to authorize your App. For example, you could offer them a QR tag with a link to the login flow.
The problem with authorizing before the event and storing a Token is that an Extended User Token is valid for 60 days. So if a user enrolls and the event is 61 days later, the Access Token will not work anymore - unless the User refreshes the Token by visiting your App. So before letting him do this before the event, you can just as well let him authorize the App at the event date.
A specific App for the event is surely the safest way, of course.
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser
I have an application which uses offline_access to get permanent access to different pages.
Users can install this application and add it to pages, where they are admins.
With an external Backend they can administrate their app and let it post different things (Competitions, ...).
So they don't have to stay logged in to Facebook.
Now... there is the problem...
On May 1st the offline_access permission will be removed and the customers have to get a new Token for their Pages every 60 days.
Since now I'm using the offline_access feature for our customers to get non-expiring Page-Tokens.
Is there any workaround for that?
Often it's just a Facebook sub-account of the customers to run the app. So it's possible that they don't login for 60+ days = the access token will expire and the application won't work.
redirect them to a link of your app in facebook when their access token expired like this
http://apps.facebook.com/xxx/reaccess.php?ref=REF_URL
Get new access_token & redirect user back to your app's original page again
i dont think you be needed to ask them again for permissions
Remind the user to re-authorize access before the expiration of the token. Do this by sending them an app-to-user request and and an email (because app-to-user requests don't generate a notification). In the email include a link directly to a web page which instantly pops up the authorization dialog (and do something similar with the app-to-user request).
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.