Facebook has removed the offline_access token functionality, now tokens have to be renewed whenever the user visits your website to keep them active.
Say someone has already given your website access and you have a token stored for them. What code would you use with Facebook's PHP library to renew that token?
These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
You can change the access token lifetime using the Auth0 Dashboard . Go to Dashboard > Applications > APIs and click the name of the API to view. Locate the Token Expiration (Seconds) field, and enter the appropriate access token lifetime (in seconds) for the API. Default value is 86,400 seconds (24 hours).
When your app uses Facebook Login to authenticate someone, it receives a User access token. If your app uses one of the Facebook SDKs, this token lasts for about 60 days. However, the SDKs automatically refresh the token whenever the person uses your app, so the tokens expire 60 days after last use.
If you want to make sure your Facebook page access token never expires, click “Debug” button. If you can see “expires: never”, it means Facebook page access token will never expire.
You can extend your token the following way:
Original scenario
Now you have that token to do what you wish with it for up to 60 days. Up to, because user can change password, de-authorize app, etc and token would become invalid. What you can do to extend the token is EVERY TIME user comes to your page(s), you can check if they are logged in via javascript and if they are, make an ajax call to your server to extend existing token for 60 days from today. You can make as many calls as you want, only the first one is valid. Here's how I do it:
On your page somewhere during load event, add something like:
FB.getLoginStatus(function (response) {
if (response.status === 'connected') {
$.ajax({
type: "POST",
async: false,
url: YOUR_URL,
dataType: "text",
data: {token : response.authResponse.accessToken }
});
}
});
//rest of jquery ajax call here
That will get a new client-side access token for the user and send it to the server
Server can then take that token and exchange it for a 60 day one
$token_url = "https://graph.facebook.com/oauth/access_token?client_id=".FACEBOOK_CLIENT_ID."&client_secret=".FACEBOOK_SECRET."&grant_type=fb_exchange_token&fb_exchange_token=".$token;
$c = curl_init();
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($c, CURLOPT_URL, $token_url);
$contents = curl_exec($c);
$err = curl_getinfo($c,CURLINFO_HTTP_CODE);
curl_close($c);
$paramsfb = null;
parse_str($contents, $paramsfb);
Reference:
https://developers.facebook.com/roadmap/offline-access-removal/
That would only extend the token if the user comes back to your site within 60 days. If not, you will need to prompt for permissions again.
Updated
Yes @zerkms is right, no access_token is needed if the application has permission.
With this permission, you can publish content to a user's feed at any time. However, please note that Facebook recommends a user-initiated sharing model. Please read the Platform Policies to ensure you understand how to properly use this permission. Note, you do not need to request the publish_stream permission in order to use the Feed Dialog, the Requests Dialog or the Send Dialog.
All extended permissions have similar privileges: https://developers.facebook.com/docs/authentication/permissions/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With