Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to extend access token validity since offline_access deprecation

Since the offline_access Permission is deprecated in Facebook's Authentication flow, we have problem getting the so called long lived access tokens without that permission.

In Facebook's document about the deprecation it says, that server side OAuth generated access tokens will be long lived, but they are not.

Am I missing something? Some setting in app settings? Some special code I need to use to extend expiration time of access tokens? As I understand the documentation, for server side authentication, the access token which can be accessed by getAccessToken() method of PHP SDK when the user is logged in is long lived.

like image 443
Rok Dominko Avatar asked Jan 24 '12 04:01

Rok Dominko


People also ask

How long should access token be valid for?

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.

How do I update my access token?

Using a Refresh Token These client credentials and the refresh_token can be used to create a new value for the access_token . To refresh the access token, select the Refresh access token API call within the Authorization folder of the Postman collection. Next, click the Send button to request a new access_token .

How do I manually expire access token?

The usual mechanism is to introduce refresh tokens. Let the access tokens have a short lifespan, say one day, and have a long lived refresh token request new access tokens every day. The server can then be asked to revoke access for a specific account by disabling the access for a refresh token.


1 Answers

Edit (August 14th 2012):
A week ago the official Facebook PHP SDK was updated. The function name was changed to setExtendedAccessToken, and it was decided we actually needed to destroy the session afterwards, to remove the risk of having two active sessions.
Also, the function no longer actually returns the token, but instead stores it within the persistant data. You can therefore get the new access token with the public function getAccessToken afterwards. Grab the new SDK from official Facebook PHP SDK github page to make sure you're up to date.

Original Answer:

I have added a new public function to the base_facebook.php file, which returns an new access token which expires in 60 days. You can make a request to this function after you've received the normal access token. I've not tested, but I assume you also need to enable 'deprecate offline_access" in your Advanced settings of the Developer App.

Just add this to your base_facebook.php inside the facebook class and make a call to it. It works for me.

 public function getExtendedAccessToken(){      try {         // need to circumvent json_decode by calling _oauthRequest           // directly, since response isn't JSON format.         $access_token_response =             $this->_oauthRequest(                 $this->getUrl('graph', '/oauth/access_token'), array(                     'client_id' => $this->getAppId(),                     'client_secret' => $this->getAppSecret(),                     'grant_type'=>'fb_exchange_token',                     'fb_exchange_token'=>$this->getAccessToken()                 )             );     } catch (FacebookApiException $e) {       // most likely that user very recently revoked authorization.       // In any event, we don't have an access token, so say so.       return false;     }      if (empty($access_token_response)) {       return false;     }      $response_params = array();     parse_str($access_token_response, $response_params);     if (!isset($response_params['access_token'])) {       return false;     }      return $response_params['access_token']; } 
like image 104
Marc Hoogvliet Avatar answered Sep 18 '22 14:09

Marc Hoogvliet