Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access Token expire time with offline_access permission

Tags:

facebook

Facebook Permissions page states the following about offline_access:

Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

Then I read this topic http://developers.facebook.com/docs/authentication/

Tried this:

https://graph.facebook.com/oauth/access_token?

 client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
 client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

This url without offline_access permission responding like this:

access_token=.....&expires=5462

But with offline_access permission responding just access_token. I dont get this, facebook says its long-lived but how long lived?

How can I learn when expires access token with offline_access permission?

like image 892
Sercan Akmaz Avatar asked Mar 01 '11 13:03

Sercan Akmaz


People also ask

How long should access token expire?

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.

How can I get access token expiry time?

The OAuth 2.0 standard, RFC 6749, defines the expires_in field as the number of seconds to expiration: expires_in: RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

How long should access and refresh tokens last?

The Refresh token has a sliding window that is valid for 14 days and refresh token's validity is for 90 days.

How do you check access token is expired or not in Web API?

The easiest way is to just try to call the service with it. It will reject it if it is expired and then you can request a new one. You can also keep the time you received the token and use the expires_in to calculate when it will approximately expire.


1 Answers

Facebook introduced a new endpoint that allows developers to extend a generic access token (~2 hour lifespan) to a 60 day token. It's as simple as sending an HTTP GET to:

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

The response is a bit wonky (compared to their normal JSON response), so be prepared to parse the response. I chose PHPs parse_url function.

// url to curl (note: make sure you pass in the correct values for your app
// and the user access token you'd like to exchange.
$url = 'https://graph.facebook.com/oauth/access_token?client_id=$fb_app_id&client_secret=$fb_app_secret&grant_type=fb_exchange_token&fb_exchange_token=$access_token;

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$response = curl_exec($ch);

curl_close($ch);

// parse response
parse_str($response, $token_data);

// exchanged token
$access_token = $token_data['access_token'];

echo 'exchanged access token: ' . $access_token;

Once you have the exchanged token, head over to the Facebook Access Token Debugger to check that your code is working properly. If properly exchanged, the expiration date should be 60 from the current.

https://developers.facebook.com/tools/debug

If you're worried about your access tokens expiring, you can check the expiration on runtime and call for a new 60 day access token if the expiration time is approaching. A less efficient (but easier) method would be to exchange your token every time a user visits.

like image 98
Nick Parsons Avatar answered Nov 15 '22 10:11

Nick Parsons