Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing a user's Facebook access token

I have a database that stores a user's access token (along with some other data). My list of permissions include offline_access when I authorize the user.

So will the user's access token (client side) always be the same as that user's access token in the database? Or can the user's access token change when they log out, change their password, etc?

like image 534
Collin O'Connor Avatar asked Jun 01 '11 15:06

Collin O'Connor


People also ask

Where should I store user token?

If any of the third-party scripts you include in your page is compromised, it can access all your users' tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server.

Should I store user token database?

There is no need to store it. You can validate it and get the data from it that you required. If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie.

Do Facebook access tokens expire?

When your app uses Facebook Login to authenticate someone, it receives a User access token. If your app uses one of the Facebook SDKs, this token lasts for about 60 days. However, the SDKs automatically refresh the token whenever the person uses your app, so the tokens expire 60 days after last use.

What can I do with Facebook access token?

An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. When someone connects with an app using Facebook Login and approves the request for permissions, the app obtains an access token that provides temporary, secure access to Facebook APIs.


2 Answers

No, the access token will not always be the same, even with offline_access. You will need to get a new access token when 1) the user changes their password or 2) deactivates your app. Otherwise, it should remain the same.

The users Facebook id will never change though. This can be parsed from the access token or obtained by calling the /me graph api.

Facebook has a blog post that goes on in detail about this.

Update: Facebook added a blog post specifically for handling revoked authorization.

like image 114
bkaid Avatar answered Oct 02 '22 00:10

bkaid


Just wanted to point out that the offline_access permission has been removed.

https://developers.facebook.com/roadmap/offline-access-removal/

"While we are removing the use of the offline_access permission, through a migration setting in the Developer App, we are now allowing the option to use access_tokens with a long-lived expiration time that can be renewed each time the user revists your app (see exceptions below)."

With more searching you will find how to extend the access token.

How to extend access token validity since offline_access deprecation

Here is a working example from https://stackoverflow.com/a/13224416/1753925:

$facebook->setExtendedAccessToken();
$access_token = $_SESSION["fb_".$fb_appId."_access_token"];
// now set it into the facebook object ....
$facebook->setAccessToken($access_token);
// now our fb object will use the new token as usual ...
$accessToken = $facebook->getAccessToken();
like image 28
ethree Avatar answered Oct 02 '22 00:10

ethree