2

I have an authentication implemented via redirect to facebook auth page $fb->getLoginUrl() and when this flow ends I'm getting a user access token.

According to the https://developers.facebook.com/docs/facebook-login/access-tokens/#extending it should be a short living one, while mine has the expiration in 2 months after today.

Is it an expected behaviour?

If yes - in what cases would you exchange the token?

If no - what am I missing?

UPD

I've just created a new application and again - the new user access token expires 1395567887 (in about 2 months) (info from a token debugger)

zerkms
  • 249,484
  • 69
  • 436
  • 539

2 Answers2

1

Depends on what use case scenario you are implementing. If you are using an APP and the token is for the app permissions (like if you use the getLoginUrl to auth an app) etc then:

App tokens do not expire.

If your app publishes on behalf of its users and requires an access token with no expiration time for the purpose of publishing, you should use an App Access Token. An App Access Token is signed using your app secret and will not expire; it will be invalidated if you re-key/reset your application secret.

EDIT

All my apps have a 2month access token by default and that is what is stated in the FB docs

Access tokens on the web often have a lifetime of about two hours, but will automatically be refreshed when required.

Like described here:

enter image description here

The server side flow grants a long lived token of 2 months

Jimmy Kane
  • 16,223
  • 11
  • 86
  • 117
  • 1
    It's not an app token, it's a user token. Sorry, not an answer – zerkms Jan 22 '14 at 09:37
  • @zerkms The probably the other answer is what you need. Did you try the token debugger? – Jimmy Kane Jan 22 '14 at 09:41
  • Yep, that's where I get the info about token expiration date – zerkms Jan 22 '14 at 09:44
  • see the first square: "Short-lived access token...". The exchange is assumed to be done **EXPLICITLY** by a developer. I don't do that. "The server side flow grants a long lived token of 2 months" --- any reference to a documentation? – zerkms Jan 22 '14 at 10:12
  • @zerkms Sure now that you mentioned it is stange. Though I was never interested in long lived tokens now that I test about 60 apps (campaigns with just login functionality) they all produce long lived tokens. Maybe it has to do with the permission scope? – Jimmy Kane Jan 22 '14 at 10:26
  • @zerkms also here people state the same status http://stackoverflow.com/questions/7696372/facebook-page-access-tokens-do-these-expire – Jimmy Kane Jan 22 '14 at 10:32
  • After some chat on #facebook @ freenode I was told that all server-side flows end up with long living tokens – zerkms Jan 22 '14 at 10:41
  • @zerkms seems so. Also somewhere in the docs the server side flow shows that the server exchanges a long lived token for another one. The Facebook docs are bad. Thanks for providing me the knowledge of knowing that indeed the server side flows provide a long lived token. – Jimmy Kane Jan 22 '14 at 10:43
1

You can not get long lived access token by default, after authentication using facebook PHP-SDK.

You must have used / written following API function in your code block somewhere. Until and unless you make following API call, you won't be able to get long lived (2 month) token.

$facebook->setExtendedAccessToken();

You can also refer token Debugger: https://developers.facebook.com/tools/debug/accesstoken/ to check token details.

Edited

My code looks like as follows

$user = $facebook->getUser();   

if ($user) {
  try {
    // Proceed knowing you have a logged in user who's authenticated.
    $facebook->setExtendedAccessToken();  
    $user_profile = $facebook->api('/me');
  } catch (FacebookApiException $e) {
    error_log($e);
    $user = null;
  }
}
// Login or logout url will be needed depending on current user state.
if ($user) {
  $logoutUrl = $facebook->getLogoutUrl();
} else {
  $statusUrl = $facebook->getLoginStatusUrl();
  $loginUrl = $facebook->getLoginUrl(array('scope' => 'read_stream, export_stream'));
}

If you can observe I have used setExtendedAccessToken if user details found after authentication. setExtendedAccessToken is a call which exchanges the temporary token with Long lived token.

Community
  • 1
  • 1
Trimantra Software Solution
  • 3,223
  • 2
  • 25
  • 44
  • 1
    "You can not get long lived access token by default" --- that's what I'm getting. Token debugger tells the token is a long lived one. Sorry, not an answer – zerkms Jan 22 '14 at 09:36
  • It's just a redirect to `$facebook->getLoginUrl()`. Nothing else – zerkms Jan 22 '14 at 09:38
  • have you checked your code whether **setExtendedAccessToken()** method has been used or not ? – Trimantra Software Solution Jan 22 '14 at 09:40
  • my code doesn't use it - the whole authentication process is as simple as a redirect to `$facebook->getLoginUrl()` and nothing else. – zerkms Jan 22 '14 at 09:41
  • If you remove `setExtendedAccessToken` would the token become a short lived one? – zerkms Jan 22 '14 at 09:49
  • I took your code, commented out `setExtendedAccessToken` and the token I obtained `Expires 1395568333 (in about 2 months)` – zerkms Jan 22 '14 at 09:52
  • No, once you have assigned long lived token, you can not get short loved one by removing this line. In order to get short lived token again, remove application permissions and application from facebook app settings of your profile or you can call de-authentication method. Once you are done again proceed for Authentication. – Trimantra Software Solution Jan 22 '14 at 09:53
  • **I CANNOT GET SHORT LIVING TOKEN**. Even **WITHOUT** `setExtendedAccessToken` what I'm getting is a long lived one. We spent 20 minutes and that's what I'm telling you, but you're ignoring it – zerkms Jan 22 '14 at 09:54