We are trying to update our app and server to handle the upcoming Facebook offline_access deprecation. However, we're having trouble testing it since we can't find an easy way to generated an expired access token.
We've tried using the Graph API Tool to create an access token but change a character in it. However this just results in an invalid token instead of a valid expired token.
I'm shocked Facebook hasn't provided a way to do this to facilitate testing. So I'm just assuming I've missed some straightforward way to do this, so would appreciate a pointer from someone.
If you generate an access_token and then change your password, it will auto-expire the token.
Related
I am the administrator of a Facebook Page. I am building a web app which, under certain circumstances, will post on Facebook as that Page.
With most APIs, I would just get an API key, and supply that when connecting to the API from my app. But Facebook expects an access token instead of an API key. (Specifically, in this case, it needs a "page access token".)
I am trying to figure out how to get a page access token that will be as permanent as possible.
After jumping through a bunch of esoteric, undocumented hoops (see here and here) in order to get a token that wouldn't expire, I had this working. When I ran the token through Facebook's Access Token Debugger, the "Expires" field read "Never". All was good in the world.
But, the next day, my token became invalid anyway. The Access Token Debugger, and my app's calls to Facebook's PHP SDK, both started returning this error:
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.
It seems that a token can become invalid for a variety of reasons (but this article is five years old, so who knows – Facebook changes things every two weeks). I had not changed my password. (I might have logged out of Facebook, though.) Facebook offers no specifics about why this particular token might have become invalid.
I've also seen a few references to a permission called offline_access, but Facebook seems to have removed this.
I suppose my question is twofold:
In general, I've found Facebook token authentication to be incredibly brittle when calling the Facebook API from the server. The token system seems to be designed mainly to allow other users to grant (or revoke) various kinds of account access to my apps. But that's not what I'm doing – I'm trying to get a token that will let me post to a page that I own. And for that scenario, Facebook's aggressive invalidation of tokens becomes a serious liability. I can't launch my app if my access token (and therefore my Facebook integration) could randomly stop working at any moment, requiring me to generate a new token and update the app. This seems absurd. Is there an alternative method of authenticating to Facebook for my purposes?
If a page access token is, in fact, the best way to authenticate my app to Facebook in order to post as my Page: how can I ensure that my token doesn't spontaneously become invalid?
I hate developing for Facebook :/ Thanks for any insight you can offer.
Extended Page Tokens are valid forever. They only get invalidated if you change your password or if you change the App Secret of your App. There´s really no magic in it, checking if the Token is still valid is obviously not a bad idea but that´s up to you. For example, you can send yourself an automated Email when there is an error using the Token, so you can refresh it. But it will really just happen if you change your password.
Links:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
The Graph API offers something called an appsecret_proof but how is it any less compromisable than the access token? It's the HMAC of the access token and the secret, so it's going to be the same for each API call anyway. Since both the appsecret_proof and the access code are needed for each API call, they could be sniffed together. So how does it make things more secure? What is the rationale?
Let´s say someone hacks your App and gets an Access Token of another User. Without appsecret_proof, he would be able to use the Access Token for something malicious. With appsecret_proof, the Access Token alone is useless for anyone who gets it. You can only use the Access Token with the generated appsecret_proof, so you would need the App Secret too - and the App Secret should only be used on the server anyway. It´s called "Secret" for a reason :)
More information: https://developers.facebook.com/docs/graph-api/securing-requests
Example: Extended Page Tokens are valid forever, so they usually get stored in a database. If some user gets access to one of those, he may be able to publish stuff to the Page wall (if the Token includes publish_actions). appsecret_proof makes sure you can only use the Page Token on your server with the App Secret. So the hacker would have to get the Page Token AND he would need to somehow get your App Secret too.
I am trying to retrieve the ads report stats, outlined here:
https://developers.facebook.com/docs/reference/ads-api/adreportstats/
But I am currently stuck with generating an access token. I was going through here: https://developers.facebook.com/docs/reference/ads-api/overview/ ,
And it looks like the only way to generate an access token is to generate it by using live web app.
Is there any other way to generate an access token?
Yes, the only way to get a User access token is to have a user authorise your app via the documented login methods: full documentation here: https://developers.facebook.com/docs/facebook-login/overview/
No.
At least not as far as I can tell. It appears that you need 3 things to generate the token:
App Id, App Secret, Url
https://developers.facebook.com/docs/reference/ads-api/overview/
in the Provide Authorization section.
I'm having a similar issue.
You don't want a client token, you need to generate an access token for the ads reporting.
I've found the Facebook API somewhat confusing because they seem to blur the lines of Access Tokens for accessing user information, and Access Tokens for accessing reporting information.
How to get offline access token of facebook?
I know that from recently time is out of date. And if I can't get offline access tokens.
What solutions of this problem is?
If you want to get a fresh token, simply follow this guide. You can obtain it through the JavaScript SDK, or doing a request to Oauth. In both cases the user will not notice anything unless he de-authenticated your app.
links.getStats was working fine as simple REST call just few weeks ago, and right now it's failing... The reason is simple, it needs an ACCESS_TOKEN.
Of course, my application, which I use to stream some content to my wall, has an non expiring (offline usage) access token. But if I try to use this token with links.getStats I get this error: "Impersonated access tokens can only be used with the Graph API".
So my question would be: How could I get a valid ACCESS_TOKEN, that I could successfully call links.getStats?
Thanks!
We're tracking this issue internally. Here's the bug id: http://bugs.developers.facebook.net/show_bug.cgi?id=19470
The workaround solution is to use any user access token with the call. You're trying to use an app or page access token, which won't work. Go to https://developers.facebook.com/tools/explorer/ , get an access token for yourself, and tack that onto the call with &access_token=YOUR_ACCESS_TOKEN and it will work.