I'd like to make simple fb app, but I cant find how access token shoud be kept.
I mean that when user login i got 60days access token and its cool, but what if user changes password? What is the better way to valid access token, and get new one ?
Facebook has a post on their blog that may help you called How-To: Handle expired access tokens
Source: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
Related
As the title suggests im wondering how i could obtain a never expiring facebook user access token. Which i would need to create a page access token at a later date. I tried using their graph explorer tool but i could only make it go up to 2 months of expiry date and for my use case that wouldnt be ideal.
To shortly explain my use case, on our website im trying to implement a facebook sharing system where each user could share what they wanted i.e posts on their facebook page (we are not using facebook login and the user would just give acces from their own dev tool panel if thats the correct approach). I got this to work BUT only with a acces token that would expire in 2-3months. So a user having to re-authenicate with our service every 2-3 months isnt ideal and wouldnt really work for us. So is there a way i can refresh that token programtically or does the user have to give a new user access token every couple of months.
I have tried following this answer but with no luck Long Lived access token Facebook Page and many similar answers to this. There is also a suggestion that you should contact facebook if you want a never expiring access token which this user suggested Generate permanent access token Facebook API.
Now im wondering if it even is possible do that in 2021 and if there is anything i missed in regards how to generate said tokens or refresh them.
EDIT:
I used the following requests to get the extended access token.
https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
After i got the token i used
https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
to get the extended access token.
To get page access token that never expires, take the following steps:
Get user token
Make this token long-lived, e.g. by clicking "Extend access token" at the bottom of the page: https://developers.facebook.com/tools/debug/accesstoken/
Then, use this token to get page access token.
In Access Token Debugger the token will be marked as "Expires: never"
I am planning to come up with a website to access the profile information of my friends on Facebook. The first step being is to authenticate a friend with their facebook user name and password. I am reading up on the docs on manually authenticating a user. I am unable to understand that once I have a access_token, what steps I need to take to get a user information, in this case, even me?
What I also do not understand is the website states to provide the app_id and app_secret to generate the access_token. My understanding was that access_token would be needed for user. So where does the example code authenticate a user? I am guessing that I haven't understood the login flow properly. If there are any other references, please let me know.
After getting the access token, simply use it with your calls. For eg:
$res = json_decode(file_get_contents(https://graph.facebook.com/me/friends?access_token=ACCESS_TOKEN));
EDIT
The token: APP_ID|APP_SECRET is the app access token, not the user access token; so it has nothing to do with the user and it wont understand /me. And its power is just.
The other token that is received by the login flow (as mentioned in the link you've mentioned in the question) is the user access token, and it understands /me. It has the power to do anything that user has granted the app to.
I am using LinkedIn API.
I have done all process to retrieve access token.
but never show anywhere to remove/revoke access token from the LinkedIn.
Please Help.!
Once you store the secret in your DB simply delete it and the access will be revoked.
I believe that if you wish for the user to revoke access to your app the user must to go linkedin and do it, much like Facebook.
As confirmed here: http://developer.linkedin.com/forum/how-really-revoke-apps-oauth-access-token linkedin does not have a programmable API for what you wanna do.
But before you remove it from DB you can invalidate the token which is like an extra step to take by cURLing https://api.linkedin.com/uas/oauth/invalidateToken with your token I believe.
Edit
As #Paul corrects, it is actually quite important to invalidate the tokens with LinkedIn. So doing that and then removing from DB is, as he says, the correct way.
I'd just like to ask about a problem I'm facing with Facebook Graph API.
I've connected to Facebook successfully, stored the user ID, and user access_code into my DB
Now when viewing the site I'm building, it's using the access_token stored in my database, but doesn't show my facebook statuses....because the "session has expired"....
Is there anyway I can regenerate the access_token?
Thanks
Example:
$status = 'https://graph.facebook.com/'.$userId.'/statuses?limit='.10.'&access_token='.$app_token;
User access tokens last only 1-2 hours. There is a technique to get a 60 day token for your use. It is explained here: http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html Remember to get this extended access token prior to the short-lived access token expiring. You must pass in a valid working user access token to pass to it. Do this serverside, not clientside because you have to use your app secret.
https://graph.facebook.com/oauth/access_token?
client_id=[APP_ID]&
client_secret=[APP_SECRET]&
grant_type=fb_exchange_token&
fb_exchange_token=[EXISTING_NON-EXPIRED_USER_ACCESS_TOKEN]
Remember to ask for the user_status permission when prompting the user. See: http://developers.facebook.com/docs/authentication/permissions/#user_friends_perms
You cant regenerate it, but you can get a new one by having the user go through the oauth process again, it will return a new token - https://developers.facebook.com/docs/authentication/
You can try to get a long lived token. That will allow you to access the status even when the user is not loged in.
See here
I need help with Facebook OAuth. I am trying to make a facebook news feed gadget for my webpage. What I did is, I created a facebook login page, got the verification code, and then got the access token. There is an expiry parameter in the access token.
My question is, what happens when the token gets expired? Does it become a new token person logs in again. I want to store it in a database, so I can access it anytime I navigate through the webpage.
If I use the access token, will it still get expired? Or does it expire if its not been used for the given expiration time?
The answer to your initial question, is that an access token is only valid whilst the user is logged in. So yes, a new access_token will need to be retrieved every time they log in to your site. This is detailed in the authentication flow documentation.
In order to get an access token which is does not have an expiry (or has a long validity period), you will need to get the user to authorise the offline_access. This should be set in your scope.
Here's a description of the offline_access permission from this documentation:
offline access - Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
This will not however, give you access forever. If the user changes their password, or deauthorises your application, you will need to get the user to reauthorise it to get a new access_token. If you try to use an out of date access token, an error message will be returned. That's why it's important to have a flow which will allow for such eventualities.
From my knowledge you can achieve this by asking for access my information anytime permission (offline_access) while a user does fconnect.
For Detail information please refer
For Permissions: http://developers.facebook.com/docs/reference/api/permissions/
For expired Token: http://developers.facebook.com/blog/post/500/