I want the users of my website to be able to authorize Facebook access in their profiles, such that our servers can continuously use that authorization. I know how to do the authorization part, but what I get back is an access key that will eventually expire. This would require the user to log back in and re-authorize us periodically.
Is there a way that the user can grant authorization once, giving me an access key that won't expire?
Update
The offline_access is now disabled as pointed out in one of the comments. To understand the changes Facebook as a nice post. https://developers.facebook.com/roadmap/offline-access-removal/
Old Answer
If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
http://developers.facebook.com/docs/authentication/
Related
I'm an admin for a Facebook page I want to handle a server side job scheduler which post every specific time into that Page using Facebook Graph API.
I'm using this code to do that job: $facebook->api("/$page_id/feed","post",$args); and it is working fine for me.
But I have a problem related to Page Access Token. I need to have a permanent Page Access Token to work forever not to update the access token every specific time because it will be server side job scheduler, no GUI for it.
Any suggestion about how to get Permanent Page Access token?
Note: I followed the steps in Facebook documentation
but I have 3 wanderings about it :
Shall I have Facebook app to get Long-Lived Page Authentication ??
I don't have that option on my Facebook app advanced setting
"deprecate offline_access" ??
Is the 60 days is the max valid duration which I can give it to Page
Access Token .. can't it become permanent for ever ??
Earlier people could use offline_access permission to obtain a permanent token. But it looks like Facebook is deprecating this particular permission. Instead, you first need to obtain a short-lived token, then exchange it for a long-lived token, which remains valid for 60 days. Same goes for page tokens.
When a user grants an app the manage_pages permission, the app is able
to obtain page access tokens for pages that the user administers by
querying the [User ID]/accounts Graph API endpoint. With the migration
enabled, when using a short-lived user access token to query this
endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access
token using the endpoint and steps explained earlier. By using a
long-lived user access token, querying the [User ID]/accounts endpoint
will now provide page access tokens that do not expire for pages that
a user manages. This will also apply when querying with a non-expiring
user access token obtained through the deprecated offline_access
permission.
https://developers.facebook.com/roadmap/offline-access-removal/
I have an application to manage a users Facebook notifications, the app requests offline_access as well as manage notifications permissions. My logs have been filling up with Facebook errors, I understand that the change password error is going to happen, but what I don't understand is why I am getting these errors:
Facebook Error: Error validating access token: Session has expired at unix time 1320012000. The current unix time is 1320191317.
Facebook Error: (#200) The "manage_notifications" permission is required in order to query the user's notifications.
They are occurring way too often to be users just rejecting the permissions and the access tokens that are expiring have expirations of 0
For future reference, offline_access has been removed, now it is possible to get an access_token with a life span of 2 months
https://developers.facebook.com/roadmap/offline-access-removal/
Are trying to use the user's token? Once you request offline access, you should "login" with your app to get it's own access token when you want to do something, not use the user's token that you saved. If that is what you are doing.
Scroll down to the part on this page labeled "App Login". That's how you are supposed to do things when user's are not present, not retain and use the user's token.
https://developers.facebook.com/docs/authentication/
I have been asked to look into whether or not I can retrieve a Facebook access token from Facebook if the user had granted permission in an earlier session. The problem is that our business logic tier is maintained by a different group and is on a different release schedule from the web development group. If I were to gain an offline access token, I might not be able to store it for up to two months. For any users acquired in the meantime, is there a way that I can retrieve the token from facebook without further intervention from the user?
I would think that this might be a security hole, but one of our senior developers thinks that it is likely that facebook offers such a feature.
Thanks,
Rob
In short No.
But with the offline access request being complete.
You can request a new token without any user clicking.
You just get a new offline access token and use that. The same way as if you didn't request offline access, and the access token had expired, it doesn't explicitly say but it does work:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
http://developers.facebook.com/docs/authentication/
That way you don't have to store them at all.
Unless you actually want to perform actions when the user is not using your Application.
You'll get the access_token every time the user logs back in, offline_access or not !
You can get it in JS with FB.getAccessToken();
There is no way to retrieve (offline) access token, when the user is not actually logged in.
If you want to store the access token for a long period of time, you will be required to ask for the offline_access permission, otherwise the access token will only last a short period of time. Either way, it is best to store it in a cookie or locally as it will certainly improve your app's latency. But make sure to check its validity as often as possible.
I think the access_token means, you have the permission to do things on behalf of the user. If you must do something without user FB login, you need the offline access_token. But be careful, the offline access_token will be ignored, when the user change his/her FB password, or delete the application.
So I hope there isn't any way to get another access_token without the user permission. I think the easiest way to check the access_token to make a /me?access_token= GET request, and check the answer. If the answer is an error, the access_token not working, you have to renew it.
To get access_token from somebody in the middle of the flow is a little pain. But you can also put variables to the redirect link.
Example:
https://graph.facebook.com/oauth/authorize?client_id=API_KEY&scope=email$redirect_uri=YOUR_REGISTERED_APP_URL%3F$param
$param could be a flow info like: flow=12342323
So when your user come back the $_GET['flow'] will be 12342323.
If a user gives my app the offline_access permission, approximately how long will the OAuth token last for? The documentation simply says:
"By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived."
How long specifically would this token last for? Would it be active 24 hours later?
If I recall correctly, the access token returned when requesting the offline_access permission will remain valid until the user revokes the offline_access extended permission from the application, or the user specifically removes the application. Effectively making it a permanent token.
However, this should always be taken with a grain of salt. Facebook allows themselves the freedom to be able to change their policies at anytime and the 'long-lived' wording of the description allows them to invalidate the token at any time. It is recommended that your application handles the scenario of the token becoming invalid as it will cover the user removing application access and the token being invalided for some other reason.
Some helpful information from Facebook here on handling expired access tokens:
https://developers.facebook.com/blog/post/500/
Note that an access token can also expire if the user changes their password or deletes their Facebook account.
Your client (web, iOS, etc) should make a habit of checking for a valid access token & reprompting the user to authorize if the token has expired.
I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?
After digging around a bit, i found this. It seems to be the answer:
Updated (11/April/2018)
The token will expire after about 60 days.
The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
All access tokens need to be renewed every 90 days with the consent of the person using your app.
Facebook change announce (10/04/2018)
Facebook updated token expiration page (10/04/2018)
offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Its a permission value requested.
http://developers.facebook.com/docs/authentication/permissions
UPDATE
offline_access permission has been removed a while ago.
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
Try this may be it will help full for you
https://graph.facebook.com/oauth/authorize?
client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
redirect_uri=http://www.example.com/
To get lifetime Access Token you have to use scope=offline_access
Meaning of scope=offline_access is that :-
Enables your application to perform authorized requests on behalf of
the user at any time. By default, most access tokens expire after a
short time period to ensure applications only make requests on behalf
of the user when the are actively using the application. This
permission makes the access token returned by our OAuth endpoint
long-lived.
But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012.
and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..
Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:
https://developers.facebook.com/docs/offline-access-deprecation/
I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.
Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.
I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.
Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.
since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.
http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/
You can always refresh the user's access token every time the user logs into your site through facebook.
The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.
Quoted from facebook http://developers.facebook.com/docs/authentication/
Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.
Hit this to exchange a short living access token for a long living/non expiring(pages) one:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.
Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
https://developers.facebook.com/docs/facebook-login/access-tokens
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.
check the following things when you interact with facebook graph api.
1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases
eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.
I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.
Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php
Worked for me...