Facebook access tokens expiring for unknown reason - facebook

EDIT from #avs099: I'm starting the bounty on this post as I have exactly the same issue. I summarize the problem here, and leave the post itself without any changes at the bottom for the reference.
What we have: Facebook page access token, obtained as described here: Authenticating as a Page and which live was extended to 60 days with new fb_exchange_token request.
What is the problem: this token works for some time - sometimes I can post hundreds of photos to my fan page in the period of several days; sometimes it's literally few photos - and then I start getting either
(OAuthException) Error invalidating access token: The session has been
invalidated because the user has changed the password.
or
(OAuthException) Error invalidating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
exceptions from the Facebook - but of course I did not do change password or deauthorized the app.
Additional information: Not sure if that matters but:
Sometimes I start using token few days after I request it from the Facebook
Token is requested (by the C# backend) from the server
which is located in a different geographical region from the desktop
app which posts photos to the fan page.
It happens sometime that several different desktop apps post photos from different PCs (i.e. different IPs I guess)
Anybody has a clue what's going on and how to resolve this?
Thank you.
I have a facebook app that serves two purposes:
1) Allows users to facebook connect with my site
2) Allows my site to post to my sites facebook fan page wall
What I'm concerned about is the 2nd usage. I used to be able to set the permissions for an app on a fan page to just allow posting (via the php sdk) without any concern about an access token. Now I've created some new fan pages and that functionality seems to have been removed. Alright, so I go through the whole process of getting an access token (successfully) for the user (always me or another admin of my facebook fan pages) and use that token to get the access tokens for the fan pages I manage (I have the manage_pages permission and so do the other admins for the pages I want to post to). However by the engine gets around to posting content to my fan pages the tokens have expired with one of two error messages:
Error invalidating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
or
OAuthException: Error invalidating access token: The session has been invalidated because the user has changed the password.
But this isn't an access token dependent on outside users, only internal people (me and one other guy right now). We aren't changing our passwords or doing anything. I've even tested it by logging out of facebook after acquiring tokens and it works fine. It's just after a little while they expire for no reason that I can determine. When I get the tokens I can check them on the debugging tool and they are supposed to last 60 days (according to the doc) although the tool says they never expire.
I've set up the system so when it fails to post to the page I get an email with the link to my site to update the tokens.
Anyone have a clue what's going on?

As Mikhail pointed out, if you get an error reporting that the token is invalid cause user has changed the password. Odds are you are requesting a new token somewhere hidden in the code, when you already have a valid one.

Possibly related to this bug? https://developers.facebook.com/bugs/241373692605971?browse=search_4fb4832bcaf7b1549293950

I have the same problem in my app - sometimes tokens expiring.
One of the find reason: sometimes my app ask for new token while old token is valid and FB return an error or i couldn't save new token for some reason.
After that old token expire - only one token for pair user-app may be valid.

You can fetch the unauthorized token so a new token is requested (or whatever you like).
I can provide a nice explanation but you can read it all here:
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

A temporary solution is to ask the user to delete the application from it's profile, and allow it again.

I had same problem and resolved it "reinstalling the app to users facebook applications". it may help you if nothing answers to problem.
To do that:
facebook user who is facing the problem goes to its facebook page
he/she removes your app from his/her application list.
Retry to login via facebook sdk on android.

Related

How can I get a permanent access token to post to a Facebook page that I own?

I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/

Handling an expired long lived access token, server side - facebook

In my web app, I need to post on users facebook feed while they are offline. I already store long lived access tokens for the users. But these tokens also expire after 60 days.
The FB docs mention that it is necessary to redirect users to the login flow to get a renewed access token.
I was thinking of checking the facebook session validity of user, whenever they login to my app and to give them the option of re-authenticating facebook in case their access token has expired.
However this will involve user interaction if the user is not currently logged in to his facebook account.
Are there any alternative solutions to look at. Also, how do sites like Quora manage posting to user's wall, without needing to re-authenticate facebook after every 60 days.
PS - I am using the latest facebook php sdk.
Simple Answer: It is not possible to extend the Access Token on the server. It would make the whole concept void.
Earlier there was a permission called "offline access", but they changed it to an extended token with maximum 60 days to avoid those things. You should NEVER post anything on the wall of the user without his authorization, for every single post. You are not allowed to autofill/prefill the message parameter anyway (see Facebook terms), it always must be 100% user generated.
About Quora: i don´t know what exactly they are doing, but i assume they refresh the Access Token whenever the user goes to their website.

Long-lasting FB access-token for server to pull FB page info

I'm aware that there are many questions about Facebook access-tokens and the grief they cause, but despite much experimentation and reading many frustratingly vague blog articles (FB and otherwise), I'm still struggling to get a clear answer to my needs. Let me succinctly break down my process so far:
I am creating a site that, server-side, needs to pull the posts/statuses from a single Facebook Page
I am an admin of that Facebook Page
I have created a Facebook App
Using the Facebook Graph API Explorer, I've generated a short-lived key, connected to my app and my account, that grants permission to my account to view the access-tokens for my pages
I've converted my short-lived key to a long-lived key (60 days) ala scenario 4 from this
And here's where I am stuck. My 60 day key works fine for my server to pull the info needed from the page, but as far I can tell, there's no way to programmatically extend that 60 day key. I also do not know of a way to generate a new short-lived key without manually going to the Facebook Graph API Explorer and creating one.
Since it is my server making the requests to the Facebook API and not a user-based system (where I could easily request that a user authorize the Facebook app again), this creates a very clunky system. Since Facebook deprecated offline_access, is there really no permanent way to have my server pull info from my own page? Will I really have to create a new key by hand and manually update my server with it every 60 days?
Or is there something I'm missing?
Update:
The step-by-step guide that was previously found here has been migrated down into its own answer.
These are the steps that were previously in the question - they have been migrated to this answer.
Having found that it is possible to generate a Facebook Page Access Token that does not expire (with help from #Igy), here is a clear, step-by-step quide for all those looking to the same:
Make sure you are the admin of the FB page you wish to pull info from
Create a FB App (should be with the same user account that is the page admin)
Head over to the Facebook Graph API Explorer
On the top right, select the FB App you created from the "Application" drop down list
Click "Get Access Token"
Make sure you add the manage_pages permission
Convert this short-lived access token into a long-lived one by making this Graph API call:
https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
Grab the new long-lived access token returned back
Make a Graph API call to see your accounts using the new long-lived access token: https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
Grab the access_token for the page you'll be pulling info from
Lint the token to see that it is set to Expires: Never!
That should do it. You should now have a Facebook Page Access Token that doesn't expire, unless:
You change your Facebook account password
You lose admin access for the target page
You delete or de-authorize your Facebook App
Any of these will cause the access token to become invalid.
If you are getting (#100) Tried accessing nonexisting field (accounts) on node type (Page), go to the Access Token Debugger, copy the value of User ID, and use it to replace the "me" part of the URL in step 9.
This is covered in the Offline Access deprecation document
Use the 60-day token for the page admin to retrieve a Page Access Token (via /PAGE_ID?fields=access_token or /me/accounts) - the Page access token will not have an expiry time
An approach that works in 2019
I was recently trying to achieve something similar (to the use case described in this thread), but I wanted to make sure to respect Facebook's current policies, so I did a little research and here I'm sharing what I found.
My use case
So, as I said already, my use case is very similar to the one described here; that is:
I'm doing some work for a school district.
They are using a software tool to manage pretty much everything that relates to school transportation.
That tool allows them to send email notifications (to subscribers) when they publish bus delay alerts and school closure alerts.
A lot of people in the community follow the organization on their Facebook page, and that's the only place they look for those alerts.
So an employee of the organization has to manually publish each notification on the Facebook page (in addition to creating it in the transportation software). Moreover, those notifications eventually expire (or are simply deleted before they expire), so the employee has to go back later on to delete them manually as well.
It's a waist of time, so what we are trying to do here is to develop as simple system that periodically polls the software tool's database for new (and expired) notifications and update them (i.e. add and remove) on the Facebook page.
This is, in my view, a legitimate use case, but I wasn't sure how to implement it in a way that's in line with Facebook's policies.
The accepted answer
I followed the steps of the accepted answer and it worked, except that things appear to have changed: now, even though the generated page token does not expire, access to data does expire after around 60 days. You will see that as well if you follow the procedure and inspect the page token in the FB Token Debugger Tool.
Besides, the fact that the generated page tokens are tied to the user account is also unfortunate, because if the user updates his/her password, then the page token also gets invalidated.
How to do it in 2019
After several hours of research, I stumbled upon the following Facebook documentation article: Business Login for Direct Businesses.
It turns out that it is now possible, following the steps described in the above article, to generate a page token that is not associated to any particular Facebook user account and which will not expire (unless the FB App gets deleted or the underlying application token gets deleted, you know...)
So here are the steps and the most important parts:
You need a Business Manager account.
Verification will be required and a digital contract will have to be signed.
You need to add the target Facebook page to that account.
You need to create a Facebook App, and transfer that app to the same Business Manager account as well.
The app will have to go through Facebook's review process, because the following permissions will be needed: manage_pages and publish_pages.
Important note For the posts made using the generate page token to be visible to users other than the application administrators, that app will need to have been published and approved.
You may still experiment with the concept without submitting for review, but the posts won't be publicly visible.
In the Business Manager account (only after your app and page have been added to the account), you need to create what's called a System User, and give that user admin role (or permissions) to the target Facebook page.
A system user is owned by the Business Manager account, and isn't tied to a specific user. My current understanding is that one major use case for a system user is programmatic access to Facebook's Graph API (just what we need).
Then, for that system user, you need to generate a access token (which will be never-expiring). You will be prompted to select for which app. You will then select your target app.
You will then need to use the generated app token to generate a page token, which will also be never-expiring. The procedure is described in this article as:
GET /<PAGE_ID>?fields=access_token&access_token=<SYSTEM_USER_ACCESS_TOKEN>
That's it.
That token will never expire, and it won't be tied to a particular Facebook user, so it's exactly what we need!
The last part is to make sure that your Facebook app gets approved by Facebook. It's in fact the most important part, because the whole procedure is worthless if people don't see our posts.
I wanted to know for sure that I could rely on the above procedure to build something for my client without Facebook rejecting it in the end, so, beforehand (i.e. before starting to work on my client's project), I went through the whole process of creating a page, an app, a Business Manager account, etc. I verified my business. I submitted my app for review. In my request, I was very specific about my use case and emphasized that the app was for "self-use" (i.e. that the organization is developing an app for itself, not for other Facebook users). I got approved without less than 24 hours.
A few other notes about the app review process:
I had to select a platform for the app, so I selected website.
I had to indicate why the app needed the two permissions and how it was going to use them.
I had to indicate why the reviewer would not be able to sign into my app and try it (i.e. because the app will be used by a worker process).
For the mandatory screencasts, I simply presented manual operations in the terminal using the curl utility (to generate the page token and make posts to the Facebook page). I also showed how I was using Business Manager to link the system user to the page and generate a token, and so on.
Again, I was very specific about my use case, and I think that that helped.
I hope this information will be useful to people with similar use cases.
Many thanks to #redhotvengeance for step-by-step guide.
After some time, now there is clearly described in Facebook documentation:
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
Extending Page Access Tokens
Apps can retrieve a page access token from Page admin users when they
authenticate with the manage_pages permission. If the user access
token used to retrieve this page access token is short-lived, the page
access token will also be short-lived.
To get a longer-lived page access token, exchange the User access
token for a long-lived one, as above, and then request the Page access
token. The resulting page access token will not have any expiry time.
You can also copy and past from the app dashboard on facebook.
The steps:
Go to https://developers.facebook.com
Select your app in the top right corner of the page
(pic of what it looks like)
Click on Messenger from the options on the left (it will go to setting automatically) (pic of what it looks like)
Go to the "Token Generation" section in the page. Select what page you want to generate the token for. (pic of what that section looks like)
The copy and past your page token where ever you need it.
Keep in mind that while in theory your token won't expire, that it is directly tied to what ever facebook account your logged into. So say you change your password or you remove the permissions from between your account and your app then your token won't be valid any more.

Can I publish to pages with an app access_token

As mentioned in this other question, if a user grants the publish_stream permission, I can publish to that user's wall using an app access_token. I tested that and it works. But I couldn't publish to the user's pages using the app access_token! Am I missing something?
Right now I use the /me/accounts/ connection to get the access_token of the pages, and use that to publish. But this is a huge headache for me and for users because these tokens expire often (when users change their password, ...et), and every time that happens the publish fails and I need to email the user to come login again so I can retrieve a new access_token for the page. It's a bad user experience and I'm trying to find a way around it. The app token works for publishing to users, which is great, but I couldn't find a way to make it work for pages. Any tips?
Edit:
To clarify further, I currently request the manage_pages and offline_access permissions, and then fetch the access_token of each page and use that to publish to it. That works. The main problem is that tokens expire, even with the offline_access permission. The most common reason a token would expire is if the user changes her password. Here is a common error that I get a lot when publishing to Facebook pages.
Facebook error. type: OAuthException, message: 'Error validating
access token: Session does not match current stored session. This may
be because the user changed the password since the time the session
was created or Facebook has changed the session for security reasons.'
To handle this, I email the user and ask them to visit our app again, and when they do I grab a fresh set of access_token to work with. But that's problematic because users are confused about why the error happened and blame us for it, and some users don't open their emails so the problem doesn't get solved and then they're angry later when they discover that our app had stopped weeks ago without them asking it to stop.
That's why I was hoping that I can publish with the app access_token to avoid these problems. Since it works for user profiles, I hoped it would work for pages as well. But so far no luck, unless I'm missing something obvious.
What you're describing used to work - all last year we were able to successfully post to fan page walls using the app access token. In fact, for some of our users, I see it still working. However, I think the other two answers are correct, this is no longer the way to post to pages (see "Page Login" here)
That said, you should be able to store the access token of the page to spare yourself the step of re-querying the users' linked accounts.
Unfortunately, the page's access token will suffer the same fragility as a user's, per the answer here: Facebook Page Access Tokens - Do these expire? . The page access token will expire when the user who gave you that access token changes their password.
To publish to pages, there is an extra step where you use their token to get a list of their pages. Each page has its own token, use that token to post to the page. Keep in mind that when setting up the original token, you need to specify that you need access to pages.
my app does exactly what you're after.
I request both manage_pages and offline_access permissions from a user.
I store the user's access_token.
I ask the user which page (determined by me/accounts) they want a stream item posted to and when.
Later, when it is time to publish to a page's feed, I grab the user's access_token from the database, the pageid, and the message.
Using that user's access token, I query the me/accounts and grab the latest access token for that account (aka page)
Using that page's access token, I me/feed (or is it me/posts...away from my codebase at the moment) post the stream item.

Facebook access token invalid with message "session does not match current stored session"?

I have recently started getting this error while posting to facebook newsfeed stream
of an app user,
I do have an offline access permission for the access tokens, and they worked
fine previously.
This error is coming for 30-40% of the users.
"Error validating access token: Session does not match current stored session.
This may be because the user changed the password since the time the session
was created or may be due to a system error."
It's possible for your access token to become invalid for a variety of reasons (expiry time passed, user changed password, user deauthorized your app, user logged out of Facebook, etc.). You should always design to account for this scenario.
If your users are active, it's easy to get a new access token from the OAuth endpoint without them having to do/see anything. If not, you should make a plan (such as emailing them) for how you will get them to return so you can get a new access token. The scenario you're describing is not necessarily unusual. You can find some code samples here for help on how to handle expired access tokens.
This is undocumented but I just tested it and it works with expired access tokens. Should work on access tokens that have been invalided if you know their user id, and they haven't revoked privileges to your app. First, you can verify that you still have have the permissions you need by calling using this url:
https://graph.facebook.com/userID/permissions?access_token=appID|appSecret
If you still have publish_stream permissions, you can issue a HTTP POST to this url:
https://graph.facebook.com/userID/feed
with post parameters of access_token=appID|appSecret&message=test message
There seem to be a lot of questions about why your token would have expired so quickly. I think I can shed some light on that. Here are a number of scenarios I have found which cause this:
There is the obvious one; the user changed his password. There is nothing you can do about this. They will need to reauthorize your app. The rest of these scenarios deal with page tokens, which are similar to a token for a user profile, except they come from querying /me/accounts with the user token of a valid administrator for the page. These seem to expire much more frequently.
It seems that if ANY administrator of a page changes their password (not necessarily the one who's token you are using), this can cause the token to expire. Also, if you have some pages in your system with the same administrator, calling /me/accounts often refreshes ALL of the tokens for the pages this user administrates. That means if you are connecting a new page for a user with existing pages, you will need to update the existing page tokens with the new ones provided by /me/accounts.
Finally, the way I deal with this in my system is to store the admin user and token as a parent of the page token in my database. This way when I need to reconnect a page or add a new page, the system can lookup and update any related page tokens received from /me/accounts. It also allows you to automatically attempt to refresh the token by calling /me/accounts when you receive the expired token exception.
Hope some of this helps!
Check out the blog post officially from facebook: How-To: Handle expired access tokens
The offline session token is changed whenever a user changes his password. If a previously working session suddenly stops (and you're getting that error) then the user's password was changed (probably by the user) and you will need to re-prompt them to grant you offline access and save the new session token you get.
I also faced this issue while accessing the post comments from my command utility. In my case everything was working fine, until suddenly I got the error:
The remote server returned an error: (400) Bad Request.
After diagnosing the problem, I found that the Facebook access token is expiring after a period of time even though I created it with the offline_access option as below:
https://www.facebook.com/dialog/oauth?client_id=[APPID]&redirect_uri=[URL]&scope=user_photos,email,user_birthday,user_online_presence,offline_access
After wasting of lots of time on RND, I found that there is an option in the app's Advanced Settings for Remove offline_access permission. My client had enabled it, and that's the reason my token was expiring. Have look at the image below:
In my case I had to generate a new page access token because I changed my Facebook password.
You can do that by going to https://developers.facebook.com, click on your app, see the menu on the left, choose Messenger, then Settings, then scroll to Access Tokens, click Generate token, copy the token and paste it into your configuration file.