What to do when OAuth token stops working? - facebook

I am using the Graph API for an app that chooses a "fan of the week" for Facebook pages and announces them automatically to their feed.
For the purpose of announcing the fan on the feed, I store the OAuth access token for the user who installed the app. However sometimes the tokens get invalidated and then the app will fail to post to the feed.
{
"error" : {
"message" : "Error validating access token: The session has been invalidated
because the user has changed the password.",
"type" : "OAuthException"
}
}
Here is another type of error I also get sometimes:
{
"error": {
"message": "Error validating access token: Session does not match
current stored session. This may be because the user changed the
password since the time the session was created or Facebook has changed
the session for security reasons.",
"type": "OAuthException"
}
}
I already have the "offline_access" for these users, but the tokens are still becoming invalid sometimes. Is there anything else I can do to prevent this from happening, besides sending the user an email asking them to visit the app page again so that I could get a new OAuth token?

There's no way around this that doesn't require user intervention of some kind. If it's an app or page users are unlikely to visit frequently, then sending that e-mail sounds like a good idea. When users visit the page or app you can use the FB Javascript SDK, which automatically refreshes sessions, and subscribe to the FB.Event.subscribe('auth.sessionChange') with a handler that updates the token in your database.

If you are trying to publish to a users feed and you have publish_stream permission which hasn't been revoked, you can mostly likely still publish to /userId/feed using an access_token in this format: appid|appsecret. Note that /me will obviously not work because you are using the applications access token.

Related

Graph API doesn't return Page Events with a valid Page Access Token

Due to many Facebook's access policies changes, the question may seem duplicated, but it's not.
My application followed all facebook approval process, and at the moment it has been approved by the "App Review" to get "manage_pages" permission. This allows to obtain a "Page Access Token" which grants the access to the page events, wherever the user is Guest or Host. (Facebook manage_pages)
After switching from Development to Live mode, the /page/events endpoint returns an empty object, with all my granted users, with a valid longlive page access token.
{
"data": [
]
}
Has anyone ever encountered this issue?
Thanks.
Past references about this:
Facebook Graph API does not return Page Events
How can I get the events for a Facebook page?

Facebook "The session is invalid because the user logged out" docs interpretation

I'm confusing about this error (take from facebook documentation) :
Access Token invalidated due to the person logging out or changing their password
{
"error": {
"message": "Error validating access token: The session is invalid
because the user logged out.",
"type": "OAuthException",
"code": 190
}
}
If the access token becomes invalid, the solution is to have the person log in again, at which point you will be able to make API calls on their behalf once more. The login flow your app uses for new people should determine which method you need to adopt.
This is the case: users visit my site and log in with facebook -> i obtain a user access token -> i exchange this short-life user token with a 60 days token -> every day a cron job made a call to facebook to get like counts of some user's posts by the long life token i have retrived from facebook.
It works but , maybe some day later, if a user hit the logout button on his facebook profile page, my long-life token stops to works and return the error.
My question is, if the user re-login in his facebook profile page, my long life token will restart to works? Or the user needs to visit my site again and then relogin to give me another short-life token that i can exchange with a new long-life token?
if i need to request a new long life token, there is an alternative that i can use to maintain a token valid for a month at least, without requesting the login to the user again?

A user access token is required to request this resource

I've developed a Facebookapp that has the "user_photos" permission. Now i've submitted the App, which is now live. I've installed it on several Facebook-Accounts of my friends... (Yes! they have granted the requested permissions)
When i now try to make an request i get the following error message
{
"error": {
"message": "A user access token is required to request this resource.",
"type": "OAuthException",
"code": 102
}
}
Here's my Request-Query:
https://graph.facebook.com/LogInIDOfMyFriendThatHasInstalledTheAPP/?fields=albums.fields(photos,name,description),email&access_token=mySecretAppToken
Ok it works if I replace the App-Token with a User-Token that is generated by an OAuth-Process or via GraphAPIExplorer but in the Documentation (https://developers.facebook.com/docs/facebook-login/access-tokens/) it is said (in Paragraph) "App Tokens" that
"App access tokens are used to make requests to Facebook APIs on behalf of an app rather than a user. [...]" and that i have to generate an other "App Accesstoken" but this also does't work.
I'm confused...
So is there something i've forgotten / missunderstood or do I have to use the oAuth-Way which means that my friends have to reauthenticate to my App every two month???
Thanks a lot!
Best regards
Mike
A few lines after in the documentation it states
App access tokens can also be used to publish content to Facebook on behalf of a person who has granted a publishing permission to your application.
This is what they mean by requests on behalf of the user.
For the albums endpoint you need a user access token.
Yes your friends need to re-authenticate your app every two months if you extend a short lived user access token. The point is not to have apps sitting around with access when the user may have forgotten them. Prompting the user to re-authenticate ensures they are still aware of these apps and can have the choice to keep or delete them

Facebook session expiration error when try to post actions to open graph using 'App access token'

I am facing this error with some of my users, the case is as following:
I use facebook "App access token" to post actions to facebook Open Graph instead of the user access token because app access token don't expire according to facebook documentation unless you refreshed the app secret, I use the follwoing Post url to post actions
https://graph.facebook.com/user_facebook_id/App_Namespace:action_name?FBOG_Object=FBOG_OBJECT_URL&access_token=app_access_token
Some of the actions do appear on facebook, but for some users the actions fails to post and return the following message:
{ "error": { "message": "Error validating access token: Session has expired at unix time 1345759200. The current unix time is 1345925578.", "type": "OAuthException", "code": 190, "error_subcode": 463 } }
What am I doing wrong? Why do I have an expiration error although am using the app access token? Should I worry for user permissions?
After checking the servers it seems that the code that uses the app token was not deployed and the code that uses the user token is still there.
The app token does not expire unless the app owner took some action.
https://developers.facebook.com/docs/authentication/applications/
Error message clearly shows that your access token expired and you need to get another one.
However you can handle this issue : Access token expiration
Also if you are looking for a long life token you need to provide some more parameters while authorizing the application to a new user.
offline_access parameter can be included in a request but now it's been deprecated by facebook. Removal of offline access

Help understanding how to integrate the FB Graph API in my App

I'm working to enable my app to hit the FB Graph API to look up data on a user. I want to do this in a way that is app focused meaning it isn't based on a user signed into my app. It's a relationship between the app & the FB Graph API.
My understanding is I can do that with the APPLICATION ACCESS TOKEN is that right?
If I use my app access token here:
https://graph.facebook.com/search?q=born#gmail.com&type=user&access_token=208131059208382|xFN8da1tIDxuuMp8hoRtGs3l0aM
I get an error:
{
"error": {
"type": "OAuthException",
"message": "An access token is required to request this resource."
}
}
Why is that?
Can I use my personal FB account to hit the API for the purposes of the app?
When a user oAuth's in to an app, how long does the access token last? Is it something I can hard code in my app so I can hit the FB graph api?
Thanks
For a lot of things on Facebook, you have to have a valid session access token from the user. What this means is, the access token you get from a user must be used to access a resource. This is especially true when pulling data about the user out of the graph. The access token that FB gives you when the user loads your application typically lasts for an hour (if I recall correctly). The session object FB gives you tells you the expire time on the token, though.
If you need to access the data for a user in an offline manner, you could ask the user for the offline_access extended permission. Doing this makes Facebook give you an indefinite access token, which doesn't ever expire (unless the user changes their password). That allows you to query the graph on the user's behalf whenever you feel like doing it.
The search feature doesn't require an access token if you're performing a standard search, or a page search, etc. But it does require a valid access token when you're searching for users. I assume this is to keep people from hammering the search and crawling public user data with a bot.
You can follow the instruction in
http://developers.facebook.com/docs/authentication/
take a look at https://github.com/michaelbaldry/fb_graph_canvas - It's a barebones canvas application that you can test locally. It uses fb_graph and is about as simple as can.