I can retrieve my App users information using access token just after the user accepted my App, and I have stored the access token into my database.
However, when I want to update the information later, the access token become invalid and Facebook returned "message": "Error validating application.". It's quite interesting that only some of my users have this problem.
I have already set "offline_access" into the permission dialog, so the token should not expire. Also, I'm sure that the users have neither changed password nor removed App.
So, will the token become invalid sometimes even with "offline_access" set?
I had this problem and found it was due to coding error. The variable I used to hold the token was being garbage collected. It didn't always happen at the same point in time so it was a bit confusing.
So, my suggestion is, make sure the variable holding the token is a class varible.
Related
Was investigating how to work with JWT and found not obvious thing for me:
Why for refreshing access token are not using both access and refresh tokens but only refresh token?
In this case we will be able to:
Verify access token signature, even if it is expired.
Get from access token information from payload, which may help in finding refresh token in database.
Your question is a bit unclear and is assuming some things that may not be true. Neither access tokens not refresh tokens have to be JWTs and JWTs are not specific to OAuth2 (which defines access and refresh tokens, but doesn't say how they should be implemented).
The audience for access tokens and refresh tokens is also different - access tokens are sent to a (possibly separate) resource server (the issuing authorization server may not even have kept a copy if they are self contained). Refresh tokens are sent to the authorization server.
Locating either type of token in a database (assuming they aren't self-contained tokens like JWTs) should never be a problem because they should be unique tokens which make ideal primary keys for a database table. So there would be no reason to send an expired access token as part of a refresh request.
Welcome to Stack Overflow, by the way :).
I'm working to implement Google Actions, and I've came into this problem.
After successful authentication (Account Linking with OAuth) everything works fine, all of the intents (SYNC,QUERY ec...) are working.
During the test fase I've restarted the server that handles the authentication and the intents (which also holds user sessions our side) so the user session that Google has became invalid (in existent) at our side, so when a new intent is incoming with the access token (that we could say has been expired on my side) the intent fails for authentication error. And here comes the issue:
I've tried to respond with authExpired or even authFailure as described here: https://developers.google.com/actions/smarthome/develop/process-intents#error-responses
but it simply does not work. It seems like until the token does not expire on Google side, I'm not able to make it expire "intentionally". So to make it work we are forced to unlink the action or wait the expiration time than everything works as expected.
It this an intended behavior?
I hope my question was clear, if not I'm here to add more details.
Thanks,
It seems like until the token does not expire on Google side, I'm not able to make it expire "intentionally".
You are correct that this is the current behavior. Generally speaking, we expect developers to use short-lived access tokens where the expiration time is meaningful in requiring those tokens to be granted again.
Developers wishing to enable users to intentionally revoke access (outside of unlinking their account) should invalidate the refresh token provided to Google and continue to return an authFailure when those credentials are presented.
As far as I thought, Instagram does not invalidate access tokens based on their documents. But for a few users of the thousands using one of my applications built on their API, that does not seem to be the case.
I originally referred to the following SO question when initially building the application, and a few others - but I came to the conclusion (or so I thought) that Instagram does not invalidate tokens, which does not seem to be true: Instagram access token expire
Our application makes requests on behalf of a user at specific times of the day. It is an application that users may only need to ever log into once to utilize the service.
Here, for example is a user who signed up 4 days ago - his service was working great until this morning, when testing his access token we were receiving this response:
{"meta": {
"error_type": "OAuthAccessTokenException",
"code": 400,
"error_message": "The access_token provided is invalid."
}}
Why would this be happening on an access token that was valid 4 days ago? We asked the specific user this error is being returned for if he revoked access to our application or anything along those lines, and he did not.
I'm curious if perhaps he changed his IG password which invalidated his access tokens for applications (Although that doesn't seem likely as to what would cause this?)
Does anyone else have experience with Instagram applications randomly invalidating access tokens?
Also, note that 99% of users who have been using our application for a month or more have never had this issue. We've only encountered 3 to 5 other accounts this has happened with.
It's not really random. In fact an access token can be invalided in this 2 cases:
the user changed his password or where forced to do so (when IG thinks your account has been compromised).
they deleted the app the access token is linked to. (Or IG forces the app to be deleted if they suspect spam behavior)
But they do not expire from time.
From own experience the token can expire if:
the user removes the app
the Instagram account gets temporary locked which can happen if the Instagram user logs in from an unknown device/location (e.g. another country). The user is being asked to confirm identity by inserting an SMS code.
The second scenario is probably an Instagram bug. Why would the app token expire each time the account gets temporary locked? Would like to get an answer from Instagram as well.
NOTE: The token does not expire if user changes password.
I want to make a Facebook batch call to read registered users walls.
As far as I know, I need to especify the user access token in the body of each call in batch. But with offline_access depreciation, I need to revalidate all users access token before use it.
So, if I am batching multiple calls, it makes no sense to revalidate each access token separatly (like discribed here: http://goo.gl/M3Jrr).
How can I revalidate those access token faster?
How can I re-validate those access token faster?
You can't. Once a user access token is expired, you need to capture this and get the user to engage with your app to refresh the access token.
Now I don't know why would you need to read your registered users walls in bulk which, depending on your motives, might be a violation of Facebook policies but I suppose in the response body of the batch call you should receive a clear error about an expired access token and hence, for example, add a flag in the DB for those (inactive) users to re-engage them later.
is there a possibility to check when a fb-token will expire?
I've read Authenticating as an app and Handling invalid and expired access tokens and searched the interwebs for an answer but I couldn't find any.
Regards, Senad
The good news is, there's an endpoint for it now.
You can retrieve the information related to a particular Access Token by issuing a GET request to the debug_token connection. Something like:
GET /debug_token?
input_token={input-token}&
access_token={access-token}
You can get more information about it in the Getting Info about Tokens and Debugging reference.
Unfortunately there's no specific endpoint that will tell you if an access_token is still valid or not, but you can use the token to fetch anything and see if it return an error or not.
However if you are using the server side flow for authentication, they will send you an expire parameters that will hold the time in seconds that the token will remain valid (the sdk may hide this fact from you).
But as the Handling invalid access tokens page explains, there's a number of reasons why an access_token can go invalid so the expire field alone won't be able to tell you if the token is valid at the moment or not, so the only way to find out is to try using it and see if its returns an error, as the Handling expired... page states, you will have to be prepared for any graph request return errors.
You can manually check it here for a given access token:
https://developers.facebook.com/tools/debug