I have written an application to manage a user's Facebook notifications. The app requests offline_access as well as manage notifications permissions. My logs have been filling up with Facebook errors. I understand that when a users changes their password the token is going to expire, but what I don't understand is why I am getting these errors:
Facebook Error: Error validating access token: Session has expired at unix time 1320012000. The current unix time is 1320191317.
Facebook Error: (#200) The "manage_notifications" permission is required in order to query the user's notifications.
They are occurring way too often to be users just rejecting the permissions and the access tokens that are expiring have expirations of 0.
Related
I am creating long lived access tokens for my users when they first sign up for my app, this has been working fine for the past 6-8 months. Recently, the manage_pages permission was revoked from my app (when Graph API v8.0 was released) due to lack of use. It is true that we did not use this permission, but the reason we asked for it is because it was required for some of the calls we were doing to gather Instagram insights for our users when we first started. I don't know if this has anything to do with the issue but just including it anyways.
Now it seems that newly created access tokens are automatically invalid, this was never the case before. I run these access tokens through the access token debugger and get the following error:
Error validating access token: The user has not authorized application [MY_APP_ID].
It seems this problem slowly began to onset, and now every single new user on our app is experiencing this issue, even after granting us the following permissions:
public_profile
email
instagram_basic
instagram_manage_insights
pages_show_list
The permissions recently revoked from my app were:
pages_manage_ads
pages_read_user_content
pages_manage_metadata
Users go through the complete OAUTH flow, and when they are redirected to my site I create a long-lived access token but it seems the token does not recognize that the user had authorized my app, hence the reason it is invalid.
Here is my OAUTH Url for new users:
https://www.facebook.com/v5.0/dialog/oauth?client_id={{ settings.FACEBOOK_CLIENT_ID }}&redirect_uri={{ settings.FACEBOOK_REDIRECT_URL }}&state={{MY_STATE}}&return_scopes=true&auth_type=rerequest&scope=public_profile,email,instagram_basic,instagram_manage_insights,pages_show_list
You have to remove the manage_pages scope from your Facebook button code and replace it with the pages_show_list scope :)
I am getting this error with the php sdk for facebook :
Fatal error: Uncaught OAuthException: Error validating access token: The session is invalid because the user logged out. thrown in /public_html/facebook/base_facebook.php on line 1106
I have already requested offline_access permission from the app and tested it with a real facebook account. it works when the account is logged in as it should, but when I log out with the facebook account, the token becomes invalid. Doesn't the offline_access permission allow access even when the user logged out?
Facebook has recently deprecated offline_access so check your apps settings to make sure you have it enabled (although it will be gone for good in May)
There is a problem in using offline_access as the access token expires earlier than it will be.
Refer this link
I have an application to manage a users Facebook notifications, the app requests offline_access as well as manage notifications permissions. My logs have been filling up with Facebook errors, I understand that the change password error is going to happen, but what I don't understand is why I am getting these errors:
Facebook Error: Error validating access token: Session has expired at unix time 1320012000. The current unix time is 1320191317.
Facebook Error: (#200) The "manage_notifications" permission is required in order to query the user's notifications.
They are occurring way too often to be users just rejecting the permissions and the access tokens that are expiring have expirations of 0
For future reference, offline_access has been removed, now it is possible to get an access_token with a life span of 2 months
https://developers.facebook.com/roadmap/offline-access-removal/
Are trying to use the user's token? Once you request offline access, you should "login" with your app to get it's own access token when you want to do something, not use the user's token that you saved. If that is what you are doing.
Scroll down to the part on this page labeled "App Login". That's how you are supposed to do things when user's are not present, not retain and use the user's token.
https://developers.facebook.com/docs/authentication/
If a user gives my app the offline_access permission, approximately how long will the OAuth token last for? The documentation simply says:
"By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived."
How long specifically would this token last for? Would it be active 24 hours later?
If I recall correctly, the access token returned when requesting the offline_access permission will remain valid until the user revokes the offline_access extended permission from the application, or the user specifically removes the application. Effectively making it a permanent token.
However, this should always be taken with a grain of salt. Facebook allows themselves the freedom to be able to change their policies at anytime and the 'long-lived' wording of the description allows them to invalidate the token at any time. It is recommended that your application handles the scenario of the token becoming invalid as it will cover the user removing application access and the token being invalided for some other reason.
Some helpful information from Facebook here on handling expired access tokens:
https://developers.facebook.com/blog/post/500/
Note that an access token can also expire if the user changes their password or deletes their Facebook account.
Your client (web, iOS, etc) should make a habit of checking for a valid access token & reprompting the user to authorize if the token has expired.
I want the users of my website to be able to authorize Facebook access in their profiles, such that our servers can continuously use that authorization. I know how to do the authorization part, but what I get back is an access key that will eventually expire. This would require the user to log back in and re-authorize us periodically.
Is there a way that the user can grant authorization once, giving me an access key that won't expire?
Update
The offline_access is now disabled as pointed out in one of the comments. To understand the changes Facebook as a nice post. https://developers.facebook.com/roadmap/offline-access-removal/
Old Answer
If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
http://developers.facebook.com/docs/authentication/