2

is it correct that the Facebook API access token changes on every pageload?

I thought once a token was obtained, it would stay the same until expiry.

I am using the Facebook SDK for Javascript.

Facebook says that with this SDK, there is no need to manually manage access tokens. The SDK just does it.

But is it correct that the token changes on every pageload?

My code is this:

  <div id="fb-root"></div>
   <script>
  window.fbAsyncInit = function() {
    FB.init({
      appId      : 'xxxxxxxx',
      status     : true,
      xfbml      : false,
      cookie     : true
    });
  };

  (function(d, s, id){
     var js, fjs = d.getElementsByTagName(s)[0];
     if (d.getElementById(id)) {return;}
     js = d.createElement(s); js.id = id;
     js.src = "//connect.facebook.net/en_US/all.js";
     fjs.parentNode.insertBefore(js, fjs);
   }(document, 'script', 'facebook-jssdk'));



function check() {
        FB.getLoginStatus(function(response) {
      if (response.status === 'connected') {
        // the user is logged in and has authenticated your
        // app, and response.authResponse supplies
        // the user's ID, a valid access token, a signed
        // request, and the time the access token 
        // and signed request each expire
        console.log(response);
        var uid = response.authResponse.userID;
        var accessToken = response.authResponse.accessToken;
      } else if (response.status === 'not_authorized') {
        // the user is logged in to Facebook, 
        // but has not authenticated your app
        console.log(response);
      } else {
        // the user isn't logged in to Facebook.
        console.log(response);
      }

     });



}


</script>

     <span onClick="check()">test</span>
Eduscho
  • 458
  • 3
  • 12

2 Answers2

1

I just tested this and you are right, the Token changes with every page refresh. I would not worry much about it though, when using one of the SDKs (JavaScript, PHP, ...) you most likely don´t need to think about the Access Tokens at all. And even if you need them (for managing Pages, for example), you can just use the last one.

The "older" Tokens are still valid btw, they don´t get invalidated. But they will stop working after 2 hours anyway.

There is also a second parameter you can set to "true": https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/ (see "Roundtrips to Facebook's servers") - which may have explained the new Token, but you´re not using that either.

andyrandy
  • 72,880
  • 8
  • 113
  • 130
  • Thanks for testing. I found that if on init() the parameter 'status' is set to false, it does not change. This way or that way, I agree we might not need to worry. – Eduscho Mar 02 '14 at 09:56
0

Facebook has recently changed its process of refreshing access token.

Try to use this if it works in you case:

https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

EDIT:

This will might help you as well. Link

Community
  • 1
  • 1
Satish Saini
  • 2,880
  • 3
  • 24
  • 38
  • extending the access token like you posted is only a good idea if you REALLY need a token that is valid for more than 2 hours. not a recent change though. – andyrandy Mar 02 '14 at 09:47