Facebook: how to persist sessions in a (connect/graph) application - facebook

I am using the facebook graph api to integrate some facebook functionality for users into a project i am working on. Its very early stages and I am just getting to grips with the Facebook API but it appears that every time a user logs on to my site they will also have to log into Facebook. On the first time they also have to authenticate my application.
I am a little surprised that they have to actually log into Facebook each time they want to use any Facebook features from inside my app.
Isn't there a way to authenticate once, then I can store a token and this would allow me to access Facebook on their behalf in the future (until they de-authorize) without them having to log into Facebook each and every time?
This just seems very cumbersome.

Request the user for offline_access permissions using the scope argument in the authorization request
http://developers.facebook.com/docs/authentication/#requesting-extended-permissions
You can use the session key returned, save it and use it until it expires (this usually is very long) or until the user revokes access to your application
Here is the full list of extended permissions your application can ask for http://developers.facebook.com/docs/authentication/permissions

Related

Facebook: Refreshing long-lived access token automatically

I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Also, when the tokens are refreshed, are they refreshed for another 60 days? Or are they refreshed for a smaller duration?
I wasn't able to find these specific answers in the documentation or in other questions asked here, so thanks in advance to anyone who might have more details.
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
You can also manually refresh tokens by calling:
AccessToken.refreshCurrentAccessTokenAsync();
I found one exception to this. Only sso tokens can be refreshed, which means if user logged in to your app via facebook app. If user logged in via browser, token will remain the same.
The previous line to the one you pasted is important:
Native mobile applications using Facebook's SDKs will get long-lived access tokens, good for about 60 days
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
Other apps (e.g websites, apps on facebook.com) need to use the login flows documented elsewhere in the documentation and require the user to be logged into Facebook in their browser

Facebook app using access tokens for multiple users behind the scenes

I am building a Facebook application whose purpose is to gather statistics about Facebook users by querying their profile pages every so often. There is a sign up process where a user consents to the application and is redirected to Facebook to authorize the app. After the app has received the user's permission, it stores the access token with the user's Facebook ID number.
Every so often I want to be able to run a script that loops through all the access tokens in my database and queries the corresponding user's profile page. I am using Facebook's PHP SDK for development and therefore receive long-lived access tokens.
However, I am running into the issue of the 60 day expiration of the access token. I don't know how I can renew these access tokens, since the user does not initiate API calls; my own script does and therefore it has no information about the user being logged in or not when trying to run an API call. Is there any way to renew these access tokens behind the scenes without any information about the user whom I'm trying to query?

How to retrieve posts of user after he logged out from FB

I'm trying to figure out a core concept in FB that even after reading a lot of FB documentation, couldn't understand.
Let's say I'm building an app (that will reside in a tab), in which I want to see the last post of a user. I want to do this approximately one month after the user approved my app, without him using the app again.
I assume I will need to use a long-lived expiration token that will be saved to my DB.
A month after I will run a procedure that will use this token and check the user posts.
Is this correct?
What about a situation in which the user logged out? The token is no longer valid.. does this mean I will never be able to access user posts unless he will access my app?
Isn't this a bit weird (since he already approved my app)?
Not necessarily.
Firstly, you need the read_stream permission from the user when they authenticate your app. Then, because you are intending to use Facebook as the app, rather than as the user, you need to authenticate as an app, which is a simple process:
In order to get an access token for the app, all you need to do is use the following URL:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
Because these tokens are time-limited, it may be easier to request a token each time you use the Graph API, rather than storing it in a database and waiting for it to expire.
Then, all you need to do is use the following request:
https://graph.facebook.com/USER_ID/feed?access_token=YOUR_ACCESS_TOKEN
The upside to this is that it does not matter whether or not the user is logged into Facebook.
See here for more details:
https://developers.facebook.com/docs/authentication/applications/

How to notify users peridocally from an app

So there's an app, let's say it's an app that is capable of delivering relevant news based on the user's choice done the first time he runs the app. Is there a way to post the news to the user's wall without having the user to be online and ideally as the app?
So on his/hers timeline it would look like this (edited image, not a real post from some app, it's just so you get what I mean):
When I use $facebook->api('/me', 'post'), it just creates a post as the user, which is not what I want and does not allow me to post when the user is not logged in.
You can use the server side authentication to get a long lived access token (60 days) which you can then use until the token times out. Then you'll need to have the user reengage with your app to get a new token.
You can get the same thing by using the client side authentication and then extending the token on the server side.
Another options which should work for you is to get an app access token (which does not expire) and ask the user for the publish_stream permission, then:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.

How can I use offline access with the Facebook javascript SDK?

In the Facebook javascript api there is a login function in which you specify extended permissions:
http://developers.facebook.com/docs/reference/javascript/FB.login
One of these permissions is offline access. So I can save the facebook user's session key and assume it will not expire for a long time. The question I have is simple - how do I use the session key? I understand that the session key will last longer, but I don't understand how to use it in the Facebook API. For one of my products, a user must restart his/her browser and I would like to recognize them when they restart. The problem is that they are logged out of facebook, so they must login on my site again where I would rather just use offline access. Sample code would be great!
Thanks
Offline access allows you to use the user's access token on the Facebook Graph API indefinitely (unless they revoke your application's access).
It is not intended for logging the user back in. It's intended for you to be able to access their profile (and potentially do stuff to it, if you have permission) at all times, not just when they have a live session on your site.