Is it possible to extend the 60 day access token? I read somewhere that when a user visits your site it can be extended? (for another 60 days)? Will this be the same token or a new token entirely?
I basically want offline_access like it used to be. I have a small jquery script that displays the user's facebook wall on their own site.
I also read this:
""You will need to get the user to reauthenticate again within 60 days to grab a new token." --- nope. As long as there is publish_stream permitted - you don't need user's tokens ever. Until user deletes the application from apps list - you can post the messages, even after 100 years. So, no, there is no reason to persist any token additionally to application key and secret – zerkms Apr 5 at 9:02"
Is this true? Obviously I do not need publish permissions, I only want read stream permissions.
--Update:
Quote from FB:
"If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first and then call the same endpoint below. The returned access_token will have a fresh long-lived expiration time, however, the access_token itself may or may not be the same as the previously granted long-lived access_token"
So how exactly do you get an entirely new token? FB.login method simply returns the existing (non-expired) token. Any ideas?
For extending access token expiry date use,
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
For more details take a look on http://developers.facebook.com/roadmap/offline-access-removal/
No.
You can not extend the token pass the 60 days, you can only extend short lived tokens and when you do that you get a long lived one which is 60 days.
You can also have all the permissions but unless you have a valid access token then you can not make api requests (well, you can but will get an exception).
I'm not sure how you get the 60 days token, if it's client side (and then extending it) or the server side, but according to the Removal of offline_access permission official post:
Scenario 3: Server-side OAuth Developers
...
If the call is made while there is still a valid long-lived user access_token for that
user, the returned user access_token from this second call may be the
same or may have changed, but in either case the expiration time will
be set to a long expiration time.
Or
Scenario 4: Client-side OAuth and Extending Access_Token Expiration Time through New Endpoint
....
Please note, the endpoint can only be used to extend the short-lived
user access_tokens. If you pass an access_token that had a long-lived
expiration time, the endpoint will simply pass that same access_token
back to you without altering or extending the expiration time.
...
You can use the following code using the PHP SDK
$extendedToken = $facebook->setExtendedAccessToken();
$token = $facebook->getAccessToken();
print_r($token);
After the user has logged in and has provided you with the required permissions. You can also the retrieve other extended access tokens, like for Page, after simply using Graph API call
$facebook->api('<PAGE_ID>?fields=access_token');
This will return the extended access token for the Page. Provided you have asked for manage_page permission.
Sujathan is correct - there is a Facebook page documenting what to do since the change: http://developers.facebook.com/roadmap/offline-access-removal/
Send a get request to the following url:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
Also, it looks like this is a duplicate: How to extend access token validity since offline_access deprecation
Related
I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token, why are there are 2 in OAuth2.0?
Which one is short lived?
What is the purpose of both?
I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated
Thanks
The access token is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.
The refresh tokens on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.
Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.
Your app redirects the user to log in to Facebook - you use Facebook SDK for this.
When the user successfully logs in and gives you the required permissions (post on timeline) you get an access token and a refresh token.
Your app can now hit the Facebook API to post on the user's timeline on his behalf with the access token. This token can be used for one hour (or whatever time the access token is valid)
Once the token is about to expire, you can hit a Facebook API to refresh the access token, as this one is about to expire. So, you call into the API with refresh + access tokens.
The API returns a new access token to you - you can use this now till it expires.
PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.
If this makes sense, go back to the question that you have linked. It has some really good answers. :)
I'm going to be writing a Facebook Graph script/application that will run as a cron. I tried to do this before, but it said that the access token expired. I tried using getAccessToken(), but it told me that a valid access token had to be used to request information about the current user. How can I automatically renew my access token so my cron job won't break?
The normal access token expires in 2 hours, and the extended token lasts for 2 months.
For the extended token guide, go though this: How to extend access token validity since offline_access deprecation
Now, the best thing you can do is to update regularly this extended token of the user when he log-in the app/website. So, you can use this token in your cron job. This will fail only when the user didn't visit your app for 2 months.
Did you verify expiry of your access token at below link?
https://developers.facebook.com/tools/debug
Moreover, you can get detailed answer by visiting similar question:
How to renew/extend facebook access tokens with PHP?
I try to get extended long-lived access token with
$facebook->setExtendedAccessToken();
$access_token = $facebook->getAccessToken();
After looking SDK I found that setExtendedAccessToken() function is setting long-lived access token in
protected static $kSupportedKeys =
array('state', 'code', 'access_token', 'user_id');
with
$this->setPersistentData(
'access_token', $response_params['access_token']
);
and getAccessToken() is returning short-lived access token from
protected $accessToken
so what is the purpose of setExtendedAccessToken() since it does not return anything?
#Julian. Thank you so much for the inspiration here.
I was able to make this work without changing any of the core FB api files.
What happens is, the setExtendedAccessToken call sends the value to setPersistentData which then sends it into session via constructSessionVariableName.
So if we get it out of session, and then set it into the facebook object, we're all set.
Here is my code:
// ask for the extended token and get it from session ...
$facebook->setExtendedAccessToken();
$access_token = $_SESSION["fb_".FB_APP_ID."_access_token"];
// now set it into the facebook object ....
$facebook->setAccessToken($access_token);
// now our fb object will use the new token as usual ...
$accessToken = $facebook->getAccessToken();
After further attempt to poke around base_facebook.php, I have discovered the following:
setExtendedAccessToken(); will exchange a short-lived access token and Facebook will return a proper extended access token.
setExtendedAccessToken(); saves this in the persistent data cache, but this doesn't mean getAccessToken(); can access it, because getAccessToken(); doesn't query the persistent cache. Furthermore, the class seems to treat the persistent data as a "failsafe", and only uses it if all other attempts to retrieve data have failed (that is, after checking signed_request, and parsing a code).
In our case, the access token returned via setExtendedAccessToken(); is the most recent access token, so I hacked in a fix. Add the following line at the bottom of setExtendedAccessToken();
// Also set the publically accessible access token value to this new extended token
$this->accessToken = $response_params['access_token'];
Caveat: Even though we now have the new extended access token, subsequent queries to Facebook to retrieve an access token (e.g. after a page refresh) will return the same old short-lived access token. *facepalm*
Even after the user logs out (thus causing the short-lived token to expire), and logs back in, Facebook will again return a short-lived access token.
However, even though this is the case, setExtendedAccessToken(); will return the same extended access token you retrieved earlier. This token is still usable to query user information.
So, this looks like a Facebook bug, as much as I hate saying it. We can get around it with the hack I have detailed above, and any subsequent calls to fetch an access token will just return a short-lived access token, which can be exchanged again and again for the same extended access token.
Original Answer
According to this answer, the new access token is saved in the persistent data (as you have also indicated in your question), and can be accessed via $facebook->getAccessToken();.
Two relevant notes:
This page also mentions that when the short-lived access token is exchanged for an extended access token, the token itself may or may not change, although the expiry time should have updated to reflect the longer expiration. Perhaps when you call $facebook->getAccessToken();, you are merely getting the same token back, but its expiration has changed?
The call to exchange a short-lived access token for an extended one can only be made once a day per user. I don't know why this is, and I don't know whether this counter is reset if a user decides to de-authorize your app and re-authorize.
From the Facebook documentation:
When a user visits your site with an existing, valid, short-lived user access_token, you have the option to extend the expiration time of that access token. Our platform will only extend the expiration time once per day, so even if a user revists your site multiple times a day, the token will be extended the first time requested. (emphasis mine)
I believe this is the case because sloppy programmers will call $facebook->setExtendedAccessToken(); at every possible opportunity, in the hopes of always retrieving an extended access token. (Instead of the preferred behaviour, which would be only calling $facebook->setExtendedAccessToken(); if what you currently have is a short-lived access token -- but how would you even tell unless you've saved the expiration date, which in and of itself isn't that reliable...!)
My assumption is that if a user de-authorizes the app, or the token otherwise invalidates, the limit will reset, and you will be able to once again retrieve an extended access token when passing in a short-lived access token. However, this requires further testing, so please take this paragraph with a grain of salt.
I'd just like to ask about a problem I'm facing with Facebook Graph API.
I've connected to Facebook successfully, stored the user ID, and user access_code into my DB
Now when viewing the site I'm building, it's using the access_token stored in my database, but doesn't show my facebook statuses....because the "session has expired"....
Is there anyway I can regenerate the access_token?
Thanks
Example:
$status = 'https://graph.facebook.com/'.$userId.'/statuses?limit='.10.'&access_token='.$app_token;
User access tokens last only 1-2 hours. There is a technique to get a 60 day token for your use. It is explained here: http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html Remember to get this extended access token prior to the short-lived access token expiring. You must pass in a valid working user access token to pass to it. Do this serverside, not clientside because you have to use your app secret.
https://graph.facebook.com/oauth/access_token?
client_id=[APP_ID]&
client_secret=[APP_SECRET]&
grant_type=fb_exchange_token&
fb_exchange_token=[EXISTING_NON-EXPIRED_USER_ACCESS_TOKEN]
Remember to ask for the user_status permission when prompting the user. See: http://developers.facebook.com/docs/authentication/permissions/#user_friends_perms
You cant regenerate it, but you can get a new one by having the user go through the oauth process again, it will return a new token - https://developers.facebook.com/docs/authentication/
You can try to get a long lived token. That will allow you to access the status even when the user is not loged in.
See here
I need help with Facebook OAuth. I am trying to make a facebook news feed gadget for my webpage. What I did is, I created a facebook login page, got the verification code, and then got the access token. There is an expiry parameter in the access token.
My question is, what happens when the token gets expired? Does it become a new token person logs in again. I want to store it in a database, so I can access it anytime I navigate through the webpage.
If I use the access token, will it still get expired? Or does it expire if its not been used for the given expiration time?
The answer to your initial question, is that an access token is only valid whilst the user is logged in. So yes, a new access_token will need to be retrieved every time they log in to your site. This is detailed in the authentication flow documentation.
In order to get an access token which is does not have an expiry (or has a long validity period), you will need to get the user to authorise the offline_access. This should be set in your scope.
Here's a description of the offline_access permission from this documentation:
offline access - Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
This will not however, give you access forever. If the user changes their password, or deauthorises your application, you will need to get the user to reauthorise it to get a new access_token. If you try to use an out of date access token, an error message will be returned. That's why it's important to have a flow which will allow for such eventualities.
From my knowledge you can achieve this by asking for access my information anytime permission (offline_access) while a user does fconnect.
For Detail information please refer
For Permissions: http://developers.facebook.com/docs/reference/api/permissions/
For expired Token: http://developers.facebook.com/blog/post/500/