I have a Facebook application that does scheduled posts on fan pages.
To do this, the app acquires an OAuth token to use for posting on the page. To get this token, the user needs to visit the app. However sometimes Facebook invalidates these tokens, at least if the user changes their FB password and it seems in some other security-related cases too.
When this happens, the app will fail to post the scheduled post and users are unhappy. How should I resolve this? I could email the users when their token expires, but how would I detect the expiration? Given I have 100,000+ users, it would be expensive to poll the tokens very often.
Well do directly answer your question, here you go: Facebook Debugger
Enter the Access_token there to check its validity and other info. But I know that wouldn't solve your problem in general. I can help you in the right direction.
You see token validity is affected by the permissions you asked from the user. There is this offline_access permission that gives you an access token that won't time-out, not the regular hour-long tokens. And I'm sure you know this since you're already able to schedule user posts.
Unfortunately, offline_access is now deprecated by Facebook (see this link). From now on, Facebook will give us 2-month access_token by default, even without the permission. From then on, we'll need to "refresh" or extend the access token. Read more on that link.
And about your problem in use changing password, logs out, etc, Well Facebook has its own dedicated blog post about it as well, see here.
If you wanna take the path of checking token validity yourself, you can setup a CRON that runs every hour or everyday (depends on you), and do a quick API call for each token (/me). If it fails or generated an error, token expired.
Much better if you'll do it every minute: 10 to 20 tokens to check, so it wont have a heavy burden on your server doing 100,000+ calls in one execution.
Related
I have been trying to create a never-expiring Facebook Token (ideally programatically) and have not been able to do so, then, without really trying, on a different Facebook Application, I managed to create a token which, according to
https://developers.facebook.com/tools/debug/accesstoken?version=v2.5&q={TOKEN}
will never expire and I can't replicate it on any other Facebook Apps or for any other Facebook Tokens.
I can programatically (PHP) take the short lived token (1/2 hours) and extend it to 60 days, but I wanted to ideally get a never-expire token.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
Is it something in the App itself while it was created? Is there actually a way to get a never-expiring token, even though I've followed many of the guides online yet can only get a 1/2 hour token converted to 60 days?
Is there actually a way to get a never-expiring token
No, not really. Even what you think is a never-expiring token can expire - f.e. if the user who created it changes their account password.
I guess I'm not asking how I managed to do it, but I can't find any explanation or documentation nor reason as to why I was able to achieve this for one token, but not any others.
It is not documented, because Facebook wants you to use the 60 day tokens, when you app is acting on behalf of a personal user profile. They removed offline_access permission ages ago, specifically so that apps the user has long forgotten about can’t act on their behalf or still access their data any more.
So if you are writing an app that acts on behalf of users, you should really rather make do with the 60 day token - that should be enough for most cases.
Now what you are seeing with your token here, is a side effect of how Facebook has implemented extended page access tokens. Those do not have a default expiry - but they need to be invalidated when the user is removed as a page admin. Therefor, they are internally tied to the user token that was used to request the page token. User token gets invalidated - page access token becomes invalid together with it. And that in turn requires that the user token does not automatically expire after 60 days.
So, when you extend a user token that includes manage_pages permission, you will get an extended token with “unlimited” validity. But, again, that is a side effect of current implementation only, and can change in the future.
In my web app, I need to post on users facebook feed while they are offline. I already store long lived access tokens for the users. But these tokens also expire after 60 days.
The FB docs mention that it is necessary to redirect users to the login flow to get a renewed access token.
I was thinking of checking the facebook session validity of user, whenever they login to my app and to give them the option of re-authenticating facebook in case their access token has expired.
However this will involve user interaction if the user is not currently logged in to his facebook account.
Are there any alternative solutions to look at. Also, how do sites like Quora manage posting to user's wall, without needing to re-authenticate facebook after every 60 days.
PS - I am using the latest facebook php sdk.
Simple Answer: It is not possible to extend the Access Token on the server. It would make the whole concept void.
Earlier there was a permission called "offline access", but they changed it to an extended token with maximum 60 days to avoid those things. You should NEVER post anything on the wall of the user without his authorization, for every single post. You are not allowed to autofill/prefill the message parameter anyway (see Facebook terms), it always must be 100% user generated.
About Quora: i don´t know what exactly they are doing, but i assume they refresh the Access Token whenever the user goes to their website.
I have read Q&As in here and other threads to understand how facebook handles offline_access and I am still not completely understanding how it works, so please someone explain to me.
Seems like facebook still supports client apps to access user info without having to ask user to log in everytime. (if authorization is granted by user at least once during installation of client app, for example)
The access_token which enables all this seems a bit confusing to understand correctly.
I see that in c# code, access_token is read-only property so client app can't save and reuse, client app has to ask for the token on behalf of user everytime to the authorization server (facebook server). Then there are people saying offline_access (access_token with long term use, expiration period about 60 days) is necessary and some people say default access_token (1-2 hours) is good enough, you just ask for it each time.
Can anybody clarify and please provide some C# code or link containg code?
Thanks in advance
If you have offline_access selected when the user is giving your application permission, all it means is that the access_token that is returned has a long term life - this means that you don't need to re-issue an access_token to make posts (or whatever) on their behalf. Without offline_access, you would need to re-issue the access token each time you wanted to do anything to their account.
If you were to use the 2 hour access_token, when that expired, the user would need to log into Facebook before a new access_token could be issued - meaning you'd need to redirect them to the Facebook login page and then a the token would be sent back to you. It's a less convenient method, however I've had nothing but struggles trying to use the offline_access option
As mentioned in this other question, if a user grants the publish_stream permission, I can publish to that user's wall using an app access_token. I tested that and it works. But I couldn't publish to the user's pages using the app access_token! Am I missing something?
Right now I use the /me/accounts/ connection to get the access_token of the pages, and use that to publish. But this is a huge headache for me and for users because these tokens expire often (when users change their password, ...et), and every time that happens the publish fails and I need to email the user to come login again so I can retrieve a new access_token for the page. It's a bad user experience and I'm trying to find a way around it. The app token works for publishing to users, which is great, but I couldn't find a way to make it work for pages. Any tips?
Edit:
To clarify further, I currently request the manage_pages and offline_access permissions, and then fetch the access_token of each page and use that to publish to it. That works. The main problem is that tokens expire, even with the offline_access permission. The most common reason a token would expire is if the user changes her password. Here is a common error that I get a lot when publishing to Facebook pages.
Facebook error. type: OAuthException, message: 'Error validating
access token: Session does not match current stored session. This may
be because the user changed the password since the time the session
was created or Facebook has changed the session for security reasons.'
To handle this, I email the user and ask them to visit our app again, and when they do I grab a fresh set of access_token to work with. But that's problematic because users are confused about why the error happened and blame us for it, and some users don't open their emails so the problem doesn't get solved and then they're angry later when they discover that our app had stopped weeks ago without them asking it to stop.
That's why I was hoping that I can publish with the app access_token to avoid these problems. Since it works for user profiles, I hoped it would work for pages as well. But so far no luck, unless I'm missing something obvious.
What you're describing used to work - all last year we were able to successfully post to fan page walls using the app access token. In fact, for some of our users, I see it still working. However, I think the other two answers are correct, this is no longer the way to post to pages (see "Page Login" here)
That said, you should be able to store the access token of the page to spare yourself the step of re-querying the users' linked accounts.
Unfortunately, the page's access token will suffer the same fragility as a user's, per the answer here: Facebook Page Access Tokens - Do these expire? . The page access token will expire when the user who gave you that access token changes their password.
To publish to pages, there is an extra step where you use their token to get a list of their pages. Each page has its own token, use that token to post to the page. Keep in mind that when setting up the original token, you need to specify that you need access to pages.
my app does exactly what you're after.
I request both manage_pages and offline_access permissions from a user.
I store the user's access_token.
I ask the user which page (determined by me/accounts) they want a stream item posted to and when.
Later, when it is time to publish to a page's feed, I grab the user's access_token from the database, the pageid, and the message.
Using that user's access token, I query the me/accounts and grab the latest access token for that account (aka page)
Using that page's access token, I me/feed (or is it me/posts...away from my codebase at the moment) post the stream item.
I have been asked to look into whether or not I can retrieve a Facebook access token from Facebook if the user had granted permission in an earlier session. The problem is that our business logic tier is maintained by a different group and is on a different release schedule from the web development group. If I were to gain an offline access token, I might not be able to store it for up to two months. For any users acquired in the meantime, is there a way that I can retrieve the token from facebook without further intervention from the user?
I would think that this might be a security hole, but one of our senior developers thinks that it is likely that facebook offers such a feature.
Thanks,
Rob
In short No.
But with the offline access request being complete.
You can request a new token without any user clicking.
You just get a new offline access token and use that. The same way as if you didn't request offline access, and the access token had expired, it doesn't explicitly say but it does work:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
http://developers.facebook.com/docs/authentication/
That way you don't have to store them at all.
Unless you actually want to perform actions when the user is not using your Application.
You'll get the access_token every time the user logs back in, offline_access or not !
You can get it in JS with FB.getAccessToken();
There is no way to retrieve (offline) access token, when the user is not actually logged in.
If you want to store the access token for a long period of time, you will be required to ask for the offline_access permission, otherwise the access token will only last a short period of time. Either way, it is best to store it in a cookie or locally as it will certainly improve your app's latency. But make sure to check its validity as often as possible.
I think the access_token means, you have the permission to do things on behalf of the user. If you must do something without user FB login, you need the offline access_token. But be careful, the offline access_token will be ignored, when the user change his/her FB password, or delete the application.
So I hope there isn't any way to get another access_token without the user permission. I think the easiest way to check the access_token to make a /me?access_token= GET request, and check the answer. If the answer is an error, the access_token not working, you have to renew it.
To get access_token from somebody in the middle of the flow is a little pain. But you can also put variables to the redirect link.
Example:
https://graph.facebook.com/oauth/authorize?client_id=API_KEY&scope=email$redirect_uri=YOUR_REGISTERED_APP_URL%3F$param
$param could be a flow info like: flow=12342323
So when your user come back the $_GET['flow'] will be 12342323.