18

I have a database that stores a user's access token (along with some other data). My list of permissions include offline_access when I authorize the user.

So will the user's access token (client side) always be the same as that user's access token in the database? Or can the user's access token change when they log out, change their password, etc?

bkaid
  • 51,465
  • 22
  • 112
  • 128
Collin O'Connor
  • 1,351
  • 4
  • 19
  • 31

4 Answers4

22

No, the access token will not always be the same, even with offline_access. You will need to get a new access token when 1) the user changes their password or 2) deactivates your app. Otherwise, it should remain the same.

The users Facebook id will never change though. This can be parsed from the access token or obtained by calling the /me graph api.

Facebook has a blog post that goes on in detail about this.

Update: Facebook added a blog post specifically for handling revoked authorization.

powtac
  • 40,542
  • 28
  • 115
  • 170
bkaid
  • 51,465
  • 22
  • 112
  • 128
  • In my database, I store a high score related to the access token. Since that access token can expire and not be the same as the databases's access token, the user's highscore would be "wiped". Do you have any ideas on how to counter this problem? – Collin O'Connor Jun 01 '11 at 21:30
  • 3
    Easy - just stored it with their facebook user id - that will never change. – bkaid Jun 01 '11 at 21:31
  • I totally forgot that users had a user id. So would there be any point in storing the user's access token in a database? – Collin O'Connor Jun 01 '11 at 21:40
  • 2
    You would need to store that token if you want to make calls to Facebook. But you shouldn't ask for permissions like offline_access if you don't actually need them because it increases the chances that the user will reject your application. – bkaid Jun 01 '11 at 21:49
  • If and only if you have the `offline_access` permission. Because when the user user log out, you will not have any ways to get a valid token back. But, the question is now : do you really need the `offline_access` permission as you are storing user IDs for high scores ? – Quentin Jun 01 '11 at 21:50
  • So if i did not store the user's token in the database, then would that mean i would have to authorize the user each time they start my application (I am using android by the way). – Collin O'Connor Jun 01 '11 at 22:21
  • 1
    A users Access Token changes every time they login from a different device as well am i correct? – NodeDad Aug 21 '13 at 21:39
5

Just wanted to point out that the offline_access permission has been removed.

https://developers.facebook.com/roadmap/offline-access-removal/

"While we are removing the use of the offline_access permission, through a migration setting in the Developer App, we are now allowing the option to use access_tokens with a long-lived expiration time that can be renewed each time the user revists your app (see exceptions below)."

With more searching you will find how to extend the access token.

How to extend access token validity since offline_access deprecation

Here is a working example from https://stackoverflow.com/a/13224416/1753925:

$facebook->setExtendedAccessToken();
$access_token = $_SESSION["fb_".$fb_appId."_access_token"];
// now set it into the facebook object ....
$facebook->setAccessToken($access_token);
// now our fb object will use the new token as usual ...
$accessToken = $facebook->getAccessToken();
Community
  • 1
  • 1
ethree
  • 1,582
  • 2
  • 14
  • 21
2
 <?php
# We require the library
require("facebook.php");
require("db.php");
# Creating the facebook object
$facebook = new Facebook(array(
    'appId' => 'APP_ID',
    'secret' => 'APP_SECRET_ID',
    'cookie' => true
));
# Let's see if we have an active session
$session = $facebook->getSession();
if(!empty($session))
{
    try
    {
        $facebook_id = $session['uid'];
        $facebook_access_token=$session['access_token'];
        // Updating Facebook values into Users table
        mysql_query("UPDATE users SET facebook_uid='$facebook_id', facebook_access_token='$facebook_access_token' WHERE username='$user_session'");
        header("Location: http://yourwebsite.com/home.php");
    } 
    catch (Exception $e){}
}
else
{
    header("Location: http://yourwebsite.com/home.php");
}
sakibmoon
  • 2,026
  • 3
  • 22
  • 32
love
  • 132
  • 1
  • 2
1

Not always.

Access tokens normally will expire after some point in time. There is a way to make an access token with an infinite expire time though, but you need to request for offline_access as one of the permissions.

Look here for more information.

Edit Just saw that you require offline_access as a permission. Then no, they will not expire

Soatl
  • 10,224
  • 28
  • 95
  • 153