2

I have an application that used to use offline_access, which obviously needs changing since that's going away.

We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.

From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.

Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?

Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?

Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.

Sloloem
  • 1,587
  • 2
  • 15
  • 37

2 Answers2

2

Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.

Sloloem
  • 1,587
  • 2
  • 15
  • 37
  • Is this still valid given the 60 days expiry time? Am I trying to solve a problem that just happens because I'm trying to post to "/me" instead of a user? – Emil Ahlbäck Apr 03 '13 at 08:41
  • Not sure what you're asking? Using the Application Token is actually a way to get around the expiry time for tokens that you get when you step a user through the server-side authentication process. If you use these tokens and post to /me to post to the user's wall, that token will expire after 60 days and you'd need to walk the user through the process again to extend the token. If you use your Application Token and post to /user/ URLs that token never expires. You can continue using it as long as the user hasn't revoked permission. The main caveat is you need to keep this token secret. – Sloloem Apr 05 '13 at 02:09
1

I believe once the deprecation of offline_access is complete, obtaining/exchanging access tokens is the only way to do what you need.

Anyone who had offline access before the deprecation will still be able to use your application normally, for 60 days at least. Once this period is over, you have to re authorize users and extend their access tokens for another 60 days. To do this you have them log in, and authorize your app (if necessary). Then you extend their access token using fb_exchange_token, so it is good for 60 days.

I'm sure you have seen it, but it's all outlined in this article, more specifically the section about previously using offline_access. I also found this post useful for doing an upgrade. Here is another link that further details how to deal with invalid tokens.

Nick DeFazio
  • 2,412
  • 27
  • 31
  • The tokens I'm receiving through the regular backend flow right now are good for 60 days, attempting to request fb_exchange_token doesn't change them at all, so I can just see the expires time on the token counting down. I have the migration enabled in my test app, so can I trust this behavior once they completely pull the permission? I can't find any good documentation for what fb_exchange_token is, so I was figuring maybe it was used by the client-side flow to trade the short lived token you'd get that way for a longer lived one, like if you had authenticated with the serverside flow – Sloloem May 21 '12 at 20:16
  • Extending the tokens you have now doesn't do anything because they are already set to 60 days. I assume the tokens you have now were obtained through the offline_access permission. FB is truncating these times from forever to 60 days to prepare for the offline_access deprecation. Only when you obtain a new short-lived token can you extend it to 60 days again. From the docs: "If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first " – Nick DeFazio May 21 '12 at 21:07
  • @spoonybard896 - Let's say I have a 60 day access token. We're on day 59 - tomorrow the token is going to be expired. I send an automated email to the user to log in again. Will that extend the life of the access token? As I try it now, it doesn't, it simply returns the same access token. So, different way, is it possible to get an entirely new access token? (A new short lived one, which I then convert to a 60 day one)? FB.Login always returns the existing non-expired access token. Thx. –  May 22 '12 at 12:02
  • As I understand it, once a token is extended once, you cannot extend it again. You have to get a new token. If you are on day 59 and re-authenticate, you will get the same token back because it has not yet expired. I think you just have to wait until it expires, detect that in your authentication flow, and at that point direct the user to go re authenticate. Once it has expired, you should get a new token on re-authentication which you can then extend. Until then, you should get the 60 day extended token back. – Nick DeFazio May 22 '12 at 16:25
  • @spoonybard896 - That's actually really useful. I was attempting to use fb_exchange_token to extend the token on the backend for testing. So that method is only applicable for extending short-lived tokens? It seems like it, since the token I am testing with is from a test app with a new user that never requested the offline_access permission and did the server-side authentication and got a long lived token using an authorization code, and I've never been able to extend that token. I'd assume that if I did the authorization redirect again, I'd get a new token. – Sloloem May 22 '12 at 17:14
  • Once expired, yes, you would get a new token that you could then exchange for a long lived token. And yes, fb_exchange_token is only used to exchange short lived tokens for long lived ones. If your token has not yet expired, I'm not sure you would get a new one if you went through the auth process again though. I think you would get the same one back until it's expired(user changes pw, removes your app, 60 days goes by, etc). – Nick DeFazio May 22 '12 at 18:46
  • @spoonybard896 - Are you sure? That doesn't sound very good for anyone who uses the server side flow. I don't want to switch to the client side flow, but I also don't want to be reactionary and have to wait until the token expires before I reauthorize for a new one. I guess the best answer is to try it and see... – Sloloem May 22 '12 at 19:15
  • I see your point, and I'm not sure if you get a new token back in the scenario you described. I suspect you don't, but I could be wrong. – Nick DeFazio May 22 '12 at 19:44
  • Just wanted to update some of this info. Recently I've been working on converting an old FB app from offline access to 60 day tokens. I can confirm that you get a new access token only when you re-authorize the app. Im not sure if its useful, but if you want to use a preventative measure such as notifying the user ahead of time and allowing them to re-auth, you can manually de-auth your app, and then get a new long lived token(http://stackoverflow.com/questions/7533997/de-authorize-a-facebook-app-using-the-new-opengraph-api). – Nick DeFazio Jun 20 '12 at 20:49