Menu
Facebook Permissions page states the following about offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Then I read this topic http://developers.facebook.com/docs/authentication/
Tried this:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
This url without offline_access permission responding like this:
access_token=.....&expires=5462
But with offline_access permission responding just access_token. I dont get this, facebook says its long-lived but how long lived?
How can I learn when expires access token with offline_access permission?
892
By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.
The OAuth 2.0 standard, RFC 6749, defines the expires_in field as the number of seconds to expiration: expires_in: RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
The Refresh token has a sliding window that is valid for 14 days and refresh token's validity is for 90 days.
The easiest way is to just try to call the service with it. It will reject it if it is expired and then you can request a new one. You can also keep the time you received the token and use the expires_in to calculate when it will approximately expire.
Facebook introduced a new endpoint that allows developers to extend a generic access token (~2 hour lifespan) to a 60 day token. It's as simple as sending an HTTP GET to:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
The response is a bit wonky (compared to their normal JSON response), so be prepared to parse the response. I chose PHPs parse_url function.
// url to curl (note: make sure you pass in the correct values for your app
// and the user access token you'd like to exchange.
$url = 'https://graph.facebook.com/oauth/access_token?client_id=$fb_app_id&client_secret=$fb_app_secret&grant_type=fb_exchange_token&fb_exchange_token=$access_token;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
// parse response
parse_str($response, $token_data);
// exchanged token
$access_token = $token_data['access_token'];
echo 'exchanged access token: ' . $access_token;
Once you have the exchanged token, head over to the Facebook Access Token Debugger to check that your code is working properly. If properly exchanged, the expiration date should be 60 from the current.
https://developers.facebook.com/tools/debug
If you're worried about your access tokens expiring, you can check the expiration on runtime and call for a new 60 day access token if the expiration time is approaching. A less efficient (but easier) method would be to exchange your token every time a user visits.
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
