When I debug my Facebook user access token I see two expiration dates (Expires and Data Access Expires) as you can see here:
according to this link, token should expire 60 days after the last use but I'm seeing never and I don't know why! also when I exchange the user access token via this API, Data Access Expires does not change and I still get the same Data Access token Expires. My Facebook App is in development mode and I don't pass App Review yet. Also, I don't use FacebookSDK. do you know why I get never expires and why after exchanging the User Access token, Data access Expires doesn't extend?
Facebook has deprecated the offline access permission.As a developer is there some other way for me to post on the wall of a user when he is not online or I can do that only when he is accessing my app?
You can increase 2 table columns in your app namely short_access_token & long_access_token.
Once user authenticates your app, an access token is generated, store it in short_access_token. Then pass this access token to:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Once you run this, an access token with 60 days validity will be generated. Store it in long_access_token. Now, use this long_access_token for 60 days.
You can generate long lived access token only once a day i.e. the first time. Use this long lived access token to post on user's wall (if you've already got the permission).
Ref: https://developers.facebook.com/roadmap/offline-access-removal/
You can post to a users wall, without that user being logged in, for up to 60 days. After that, you will need to force the user to login to Facebook again and get a new 60 day access token.
To do all this gracefully, you should store the date of the acquisition of the token in your DB, and set up the necessary UI for the user as that date approaches.
In addition, if the user is an infrequent user of your application, you should really test the validity of the token at least once a day, and go redirect them to login to Facebook if your app finds that the token has expired. This also helps re. tokens becoming invalid due to the user changing their Facebook password.
Of course you can post to a user’s wall as long as you have a valid access token – no matter if they are “online” or not.
Stuff to read (clearly looks like you didn’t do much research of your own before asking):
https://developers.facebook.com/roadmap/offline-access-removal/
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
If I requested and acquired an access token on, say, the 1st of March, and extended it on 30 days later, will it be valid for another 60 days, or does it require reauthorization from the end user?
We are implementing an autopost functionality, which is triggered by an event inside our own application. Therefore, the end user will not be able to present their cookie to Facebook in order to validate their identity. We need to make sure that we always have a valid access token.
The official Facebook documentation is quite vague on this particular subject.
How are you obtaining the access tokens? Server side flow or client side?
What exactly do you mean by "extending" the tokens? Are you referring to the "new end point" provided by facebook because of the offline_access deprecation?
You are right, facebook are pretty vague about it saying:
If you would like to renew a still valid access_token, you will have
to get a new client-side access token first and then call the same
endpoint below. The returned access_token with the newly extended
expiration time may or may not be the same as the previously granted
extended access_token.
That means that you can not count on the extended token to actually be extended.
More than that though, is that you can't just extend the token with out any user interaction. If the user haven't used your app in the last 60 days you can not extend the token for him.
You can use the App Access Token if you want to publish on users behalf. The App Access Token does not expire unless you de-authorize it yourself. When using your App Access Token you have to specifically indicate the user id you are publishing for - /12345678/photos. You can't use /me/photos. You can read more about this here.
I am implementing a photo album extension inside an umbraco installation. Basically it's just a usercontrol fetching photos from facebook.
I have supplied access_token with the following permissions:
user_photos
offline_access
However, the token seems to be expired after 2 hours. My question is how can I get my token to be valid all the time? Do I need more permissions?
thank you
When retrieving a Facebook access token, an expiration time associated with the access token is also typically returned. If this expiration time is exceeded, your application will need to obtain a new access token (which will also have a new expiration time associated with it). Facebook has an article specifically regarding how to handle expired access tokens here.
I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?
After digging around a bit, i found this. It seems to be the answer:
Updated (11/April/2018)
The token will expire after about 60 days.
The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
All access tokens need to be renewed every 90 days with the consent of the person using your app.
Facebook change announce (10/04/2018)
Facebook updated token expiration page (10/04/2018)
offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Its a permission value requested.
http://developers.facebook.com/docs/authentication/permissions
UPDATE
offline_access permission has been removed a while ago.
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
Try this may be it will help full for you
https://graph.facebook.com/oauth/authorize?
client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
redirect_uri=http://www.example.com/
To get lifetime Access Token you have to use scope=offline_access
Meaning of scope=offline_access is that :-
Enables your application to perform authorized requests on behalf of
the user at any time. By default, most access tokens expire after a
short time period to ensure applications only make requests on behalf
of the user when the are actively using the application. This
permission makes the access token returned by our OAuth endpoint
long-lived.
But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012.
and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..
Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:
https://developers.facebook.com/docs/offline-access-deprecation/
I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.
Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.
I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.
Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.
since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.
http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/
You can always refresh the user's access token every time the user logs into your site through facebook.
The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.
Quoted from facebook http://developers.facebook.com/docs/authentication/
Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.
Hit this to exchange a short living access token for a long living/non expiring(pages) one:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.
Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
https://developers.facebook.com/docs/facebook-login/access-tokens
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.
check the following things when you interact with facebook graph api.
1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases
eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.
I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.
Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php
Worked for me...