I'm going to be writing a Facebook Graph script/application that will run as a cron. I tried to do this before, but it said that the access token expired. I tried using getAccessToken(), but it told me that a valid access token had to be used to request information about the current user. How can I automatically renew my access token so my cron job won't break?
The normal access token expires in 2 hours, and the extended token lasts for 2 months.
For the extended token guide, go though this: How to extend access token validity since offline_access deprecation
Now, the best thing you can do is to update regularly this extended token of the user when he log-in the app/website. So, you can use this token in your cron job. This will fail only when the user didn't visit your app for 2 months.
Did you verify expiry of your access token at below link?
https://developers.facebook.com/tools/debug
Moreover, you can get detailed answer by visiting similar question:
How to renew/extend facebook access tokens with PHP?
Related
As the title suggests im wondering how i could obtain a never expiring facebook user access token. Which i would need to create a page access token at a later date. I tried using their graph explorer tool but i could only make it go up to 2 months of expiry date and for my use case that wouldnt be ideal.
To shortly explain my use case, on our website im trying to implement a facebook sharing system where each user could share what they wanted i.e posts on their facebook page (we are not using facebook login and the user would just give acces from their own dev tool panel if thats the correct approach). I got this to work BUT only with a acces token that would expire in 2-3months. So a user having to re-authenicate with our service every 2-3 months isnt ideal and wouldnt really work for us. So is there a way i can refresh that token programtically or does the user have to give a new user access token every couple of months.
I have tried following this answer but with no luck Long Lived access token Facebook Page and many similar answers to this. There is also a suggestion that you should contact facebook if you want a never expiring access token which this user suggested Generate permanent access token Facebook API.
Now im wondering if it even is possible do that in 2021 and if there is anything i missed in regards how to generate said tokens or refresh them.
EDIT:
I used the following requests to get the extended access token.
https://graph.facebook.com/oauth/access_token?client_id=<your FB App ID >&client_secret=<your FB App secret>&grant_type=fb_exchange_token&fb_exchange_token=<your short-lived access token>
After i got the token i used
https://graph.facebook.com/me/accounts?access_token=<your long-lived access token>
to get the extended access token.
To get page access token that never expires, take the following steps:
Get user token
Make this token long-lived, e.g. by clicking "Extend access token" at the bottom of the page: https://developers.facebook.com/tools/debug/accesstoken/
Then, use this token to get page access token.
In Access Token Debugger the token will be marked as "Expires: never"
I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token, why are there are 2 in OAuth2.0?
Which one is short lived?
What is the purpose of both?
I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated
Thanks
The access token is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.
The refresh tokens on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.
Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.
Your app redirects the user to log in to Facebook - you use Facebook SDK for this.
When the user successfully logs in and gives you the required permissions (post on timeline) you get an access token and a refresh token.
Your app can now hit the Facebook API to post on the user's timeline on his behalf with the access token. This token can be used for one hour (or whatever time the access token is valid)
Once the token is about to expire, you can hit a Facebook API to refresh the access token, as this one is about to expire. So, you call into the API with refresh + access tokens.
The API returns a new access token to you - you can use this now till it expires.
PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.
If this makes sense, go back to the question that you have linked. It has some really good answers. :)
I'd just like to ask about a problem I'm facing with Facebook Graph API.
I've connected to Facebook successfully, stored the user ID, and user access_code into my DB
Now when viewing the site I'm building, it's using the access_token stored in my database, but doesn't show my facebook statuses....because the "session has expired"....
Is there anyway I can regenerate the access_token?
Thanks
Example:
$status = 'https://graph.facebook.com/'.$userId.'/statuses?limit='.10.'&access_token='.$app_token;
User access tokens last only 1-2 hours. There is a technique to get a 60 day token for your use. It is explained here: http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html Remember to get this extended access token prior to the short-lived access token expiring. You must pass in a valid working user access token to pass to it. Do this serverside, not clientside because you have to use your app secret.
https://graph.facebook.com/oauth/access_token?
client_id=[APP_ID]&
client_secret=[APP_SECRET]&
grant_type=fb_exchange_token&
fb_exchange_token=[EXISTING_NON-EXPIRED_USER_ACCESS_TOKEN]
Remember to ask for the user_status permission when prompting the user. See: http://developers.facebook.com/docs/authentication/permissions/#user_friends_perms
You cant regenerate it, but you can get a new one by having the user go through the oauth process again, it will return a new token - https://developers.facebook.com/docs/authentication/
You can try to get a long lived token. That will allow you to access the status even when the user is not loged in.
See here
Is it possible to extend the 60 day access token? I read somewhere that when a user visits your site it can be extended? (for another 60 days)? Will this be the same token or a new token entirely?
I basically want offline_access like it used to be. I have a small jquery script that displays the user's facebook wall on their own site.
I also read this:
""You will need to get the user to reauthenticate again within 60 days to grab a new token." --- nope. As long as there is publish_stream permitted - you don't need user's tokens ever. Until user deletes the application from apps list - you can post the messages, even after 100 years. So, no, there is no reason to persist any token additionally to application key and secret – zerkms Apr 5 at 9:02"
Is this true? Obviously I do not need publish permissions, I only want read stream permissions.
--Update:
Quote from FB:
"If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first and then call the same endpoint below. The returned access_token will have a fresh long-lived expiration time, however, the access_token itself may or may not be the same as the previously granted long-lived access_token"
So how exactly do you get an entirely new token? FB.login method simply returns the existing (non-expired) token. Any ideas?
For extending access token expiry date use,
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
For more details take a look on http://developers.facebook.com/roadmap/offline-access-removal/
No.
You can not extend the token pass the 60 days, you can only extend short lived tokens and when you do that you get a long lived one which is 60 days.
You can also have all the permissions but unless you have a valid access token then you can not make api requests (well, you can but will get an exception).
I'm not sure how you get the 60 days token, if it's client side (and then extending it) or the server side, but according to the Removal of offline_access permission official post:
Scenario 3: Server-side OAuth Developers
...
If the call is made while there is still a valid long-lived user access_token for that
user, the returned user access_token from this second call may be the
same or may have changed, but in either case the expiration time will
be set to a long expiration time.
Or
Scenario 4: Client-side OAuth and Extending Access_Token Expiration Time through New Endpoint
....
Please note, the endpoint can only be used to extend the short-lived
user access_tokens. If you pass an access_token that had a long-lived
expiration time, the endpoint will simply pass that same access_token
back to you without altering or extending the expiration time.
...
You can use the following code using the PHP SDK
$extendedToken = $facebook->setExtendedAccessToken();
$token = $facebook->getAccessToken();
print_r($token);
After the user has logged in and has provided you with the required permissions. You can also the retrieve other extended access tokens, like for Page, after simply using Graph API call
$facebook->api('<PAGE_ID>?fields=access_token');
This will return the extended access token for the Page. Provided you have asked for manage_page permission.
Sujathan is correct - there is a Facebook page documenting what to do since the change: http://developers.facebook.com/roadmap/offline-access-removal/
Send a get request to the following url:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
Also, it looks like this is a duplicate: How to extend access token validity since offline_access deprecation
I need help with Facebook OAuth. I am trying to make a facebook news feed gadget for my webpage. What I did is, I created a facebook login page, got the verification code, and then got the access token. There is an expiry parameter in the access token.
My question is, what happens when the token gets expired? Does it become a new token person logs in again. I want to store it in a database, so I can access it anytime I navigate through the webpage.
If I use the access token, will it still get expired? Or does it expire if its not been used for the given expiration time?
The answer to your initial question, is that an access token is only valid whilst the user is logged in. So yes, a new access_token will need to be retrieved every time they log in to your site. This is detailed in the authentication flow documentation.
In order to get an access token which is does not have an expiry (or has a long validity period), you will need to get the user to authorise the offline_access. This should be set in your scope.
Here's a description of the offline_access permission from this documentation:
offline access - Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
This will not however, give you access forever. If the user changes their password, or deauthorises your application, you will need to get the user to reauthorise it to get a new access_token. If you try to use an out of date access token, an error message will be returned. That's why it's important to have a flow which will allow for such eventualities.
From my knowledge you can achieve this by asking for access my information anytime permission (offline_access) while a user does fconnect.
For Detail information please refer
For Permissions: http://developers.facebook.com/docs/reference/api/permissions/
For expired Token: http://developers.facebook.com/blog/post/500/