Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Facebook access token: server-side vs client-side flows

Facebook docs:

Facebook Platform supports two different OAuth 2.0 flows for user login: server-side (known as the authentication code flow in the specification) and client-side (known as the implicit flow). The server-side flow is used whenever you need to call the Graph API from your web server. The client-side flow is used when you need to make calls to the Graph API from a client, such as JavaScript running in a Web browser or from a native mobile or desktop app.

What is the difference between access tokens taken by these flows? It seems like they length differ.

Can we use server-side flow token on a client? And otherwise, can we use client-side flow token on a server?

like image 892
alexey Avatar asked Jan 30 '12 17:01

alexey


People also ask

Does Facebook use token based authentication?

When your app uses Facebook Login to authenticate someone, it receives a User access token. If your app uses one of the Facebook SDKs, this token lasts for about 60 days. However, the SDKs automatically refresh the token whenever the person uses your app, so the tokens expire 60 days after last use.

What is access token on Facebook?

An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. When someone connects with an app using Facebook Login and approves the request for permissions, the app obtains an access token that provides temporary, secure access to Facebook APIs.

What client OAuth settings Facebook?

Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.

How does OAuth work with Facebook?

The service checks to see who you are on Facebook and creates a new account for you. When you sign into that service in the future, it sees that you're sign in with the same Facebook account and gives you access to your account. You don't need to set up a new account or anything—Facebook authenticates you instead.


2 Answers

Currently, Facebook says this about access_tokens. On Server-side OAuth

if the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time by default. If the call is made while there is still a valid long-lived user access_token for that user, the returned user access_token from this second call may be the same or may have changed, but in either case the expiration time will be set to a long expiration time.

Where as client-side OAuth flow will give you a existing, non-expired, short-lived user access_token. To make this access_token long lived, facebook is providing a new endpoint that exchanges the short lived access_token with an access_token with longer life. The endpoint is

https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN 

Also please note that

Currently the long-lived user access_token will be valid for 60 days while the short-lived user access_tokens are currently valid from 1 to 2 hours.

Excerpt from https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/

like image 164
naveen Avatar answered Nov 13 '22 00:11

naveen


For those that like me are facing the same issue in 2014, Facebook improved the documentation on access tokens.

Tokens are Portable

One important aspect to understand about access token is that they are portable. Once you have an access token you can use it to make calls from a mobile client, a web browser, or from your server to Facebook's servers. If a token is obtained on a client, you can ship that token back to your server and use it in server-to-server calls. If a token is obtained via a server call, you can also ship that token down to a client and then make the calls from the client.

(from https://developers.facebook.com/docs/facebook-login/access-tokens/#portabletokens)

So yes, you can use access tokens from the client on the server and vice-versa; as already stated by naveen, the difference is that client-obtained tokes are short lived, whilst server ones are long lived. You can also convert a short-lived token to a long-lived token by following the directions here: https://developers.facebook.com/docs/facebook-login/access-tokens/#extending

like image 26
gabriele.genta Avatar answered Nov 12 '22 22:11

gabriele.genta