We have a usecase where a user uses facebook social login to sign in our application and we get the long-lived access token with 60 days expiration time. But as it expires in 60 days, we don't want to prompt for logging-in again through facebook; rather refreshing the token on our end. To add to that, using the same long-lived access token frequently comes with the risk of the application being flagged as spam.
I came across a link that is :
https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/
where we can redeem another long-lived access token with the help of the code. But, when I try to retrieve the code through a test user's short-lived access token; it works. On the other hand, if I try to get the code with the help of my long-lived access token(which is valid and works well when hitting Graph API), I get the error :
{"error":{"message":"Invalid OAuth access token data.","type":"OAuthException","code":190,"fbtrace_id":"AlAiFbxLbeP5YifJLRdTXHG"}}
Please help me.Thanks in advance!
Related
After googling we came to know that invalid_grant which means refresh token is invalid.
Link to google oauth doc
We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.
More Info
We have access to read, write spreadsheet and send gmail
We fetch an access token for each request
Any help would be appreciated.
We're already in production and verified by google
Without seeing the full error message that being
Invalid_grant {Message here}
It is hard to help but from my experience is most often caused by one of the following.
Refresh token expire, app not in production.
There are serval reasons why a refresh token can expire the most common one currently is as follows.
A Google Cloud Platform project with an OAuth consent screen configured for an
external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.
invalid_grant: Invalid JWT
{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
invalid_grant: Code was already redeemed
Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.
Invalid_grant: bad request
Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.
Always store most recent refresh token.
Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.
User revoked access
If the user revoked your access in their google account, your refresh token will no longer work.
user changed password with gmail scope.
If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.
Links
Oauth2 Rfc docs for invalid_grant error rfc6749
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
I have an application, that runs on server. On that server is background task, that will post status update on few social networks (Facebook, Twitter, G+). It must be completely server-side.
In Twitter API I'm able to use OAuth header to authorize API request. OAuth HTTP header uses consumer key, consumer secret, access token and access token secret to create the header. With this I'm able to post/update/delete tweets with no user interaction.
How can I do this for Facebook? I found a solution to obtain a long-lived access_token (2 months), but we don't want to regenerate access_token every 60 days. We want to use it for manage our Facebook page - post status updates, but completely server-side.
Am I able to do this for Facebook? Thanks for answers.
PS: I searched stackoverflow hundred-times but with no solution for my problem.
Thanks.
It is not possible for User Access Tokens (they can only be extended to 60 days and need to be refreshed by the user after that), but for posting to a Page you should use a Page Token anyway. An Extended Page Token is valid forever.
Here are some Links to help you get that Extended Page Token:
https://developers.facebook.com/docs/facebook-login/access-tokens/
http://www.devils-heaven.com/facebook-access-tokens/
http://www.devils-heaven.com/extended-page-access-tokens-curl/
A Page Token will post "as Page" btw, but that´s probably what you want. And auto-posting on user profiles is not really allowed anyway, every message has to be 100% user generated and every posting should get authorized by the user.
Pay attention to Access Tokens Expiration & Extentions.
The Page Access Token could be a good solution to only server side calls for testing and data analysis purposes.
Take your User Access Token from Graph API Tool
Extend your User Access Token
Call https://graph.facebook.com/v2.11/me/accounts with your user access token extended
*all calls are GET and this procedure does not use APP Access Token.
I don't understand something important about permissions and how to grant them. I've made a Facebook page, and I've made an app. I would like the app to be able to post to the page.
Below is my code. I'm using the fb_graph ruby gem, btw (https://github.com/nov/fb_graph)
app = FbGraph::Application.new('531508086900000000', :secret => 'd705fda7275125913a10000000000')
token = app.get_access_token
page = FbGraph::Page.new('000000000000000')
note = page.note!( :access_token => token, :subject => 'testing', :message => 'Hey, testing you!')
And this is the error:
FbGraph::Unauthorized: OAuthException :: (#200) Requires extended permission: publish_actions
I've looked everywhere I can think of on both the app and the page settings but can't figure out how to do this. Help appreciated!
You need to grant access via a user access token.
The current token in your case is an application access token.
Use one of the methods listed at https://developers.facebook.com/docs/facebook-login/permissions/v2.1#adding
Specifically https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1#login
I voted up phwd's answer for the help s/he was to me here and in IRC. But it still wasn't really enough information to make sense of why this is so hard. I've decided to post my current working understanding of how this works. These are just my own notes, so I'm sorry in advance for anything unintelligible.
So, getting the right access tokens is f***ing hard, and here's my current understanding:
In order to get a token that last forever so that my app can post to a page I have to do this:
1. Create a short-lived user access token with the right scope for the app (manage_pages, publish_actions) using the explorer
- page access tokens can be obtained via /me/accounts from the explorer page
- if the user access token that is "live" during the /me/accounts request is short lived then this page access token will be too
- if it is an extended long-lived token the page access token will have no expiry according to https://developers.facebook.com/docs/facebook-login/access-tokens
2. Extend short-lived user access token to a long-lived one via a graph api call, also using exploer (see below)
3. Execute the /me/accounts call to get a page token that doesn't expire
How to get a long lived user access token
oauth/access_token?grant_type=fb_exchange_token&client_id=531------------&client_secret=e005f031ba3d98------------------&fb_exchange_token=CAAHjZA163IbMBAMKSeFTmeV9------------------------------------------------------------------------------------------------------------------------------------------------fonA4P4bPhhdveMLvZBKldEGCB7EvF301wQv1YPrudy5kvI
where
client_id = App Id
&client_secret = App Secret
&fb_exchange_token = short lived user access token via explorer with proper scope
This gives you the following long lived access token
access_token=CAAHjZA163Ib---------------------------------------------------------------------------------------------------------------------------------------------------------------------ehS8g2ZBYU8uZBPmdMay3AAj5tXgAZDZD&expires=5179843
This is an extended user access_token
This token can be used to post to the page it was genrated for.
It can also be used to get a no-expiry page access token when used to issue /me/accounts
from facebook :
Page Access Token
These access tokens are similar to user access tokens, except that they provide permission to APIs that read, write or modify the data belonging to a Facebook Page. To obtain a page access token you need to start by obtaining a user access token and asking for the manage_pages permission. Once you have the user access token you then get the page access token via the Graph API.
The application which I am building maps a user_id to multiple facebook accounts. I have access tokens for each of these mapped accounts and everything works nicely. There is a problem, though, when one of these access tokens expires but the user is logged in to Facebook as a different user than the one to whom the expired access token belongs.
I read all there is about obtaining a new access token for the currently logged in user but I found nothing about the case when the user whose access token expired is not logged in to Facebook.
I would appreciate your thoughts and possible solutions.
Users can't have multiple Facebook accounts, so that part of your question doesn't entirely make sense, but in general, if an access token expires you need the user to come back to your app and go through the Authentication flow again, which will give you a new access token for that user
I believe the only way to get an updated access token would be to go through the whole authentication process again from the initial login screen.
Depending on the technology with which you're building your application, the only way I can imagine you'd handle logging in to a Facebook account without logging out of an existing one is to set up parallel instances of web browsers, so long as they don't share things like cookies.
Is there any way to use the graph api to find out when a page access token, or application token will expire?
Update: There is a new API endpoint to access information about an access token. You can find info here: Debugging Access Tokens and Handling Errors
https://graph.facebook.com/debug_token?input_token=INPUT_TOKEN&access_token=ACCESS_TOKEN
input_token: the Access Token to debug
access_token: your App Access Token or a valid User Access Token from a developer of the app.
--
You should try to make sure that you store each token's expiration time along with the access token when you get it. For a page access token, that means storing the expiration time of the user access token. If you would like to manually discover expiration times for tokens you have today, you should use Facebook's Access Token Debugger tool. However, you should not be relying on expiration times alone -- in practice, many tokens will expire much earlier than their expiration time.
Application access tokens will never expire, unless the application secret key is reset.
Page access tokens last up to 60 days (5184000 seconds), but more importantly, they last as long as the user access token that was used to acquire them. So they will be invalidated as soon as the user that you got them from:
logs out of FB.
changes password.
deauthorizes your application.
Basically, when you lose the user's token, you will lose the page's token. Instead, you should retrieve page access tokens once per user access token. If you throw out a user access token, throw out the page token. You should not be trying to store page access tokens for any significant period of time. Instead you should get them as needed and forget them when a user's session dies.
To get a new page access token:
https://graph.facebook.com/PAGEID?fields=access_token&access_token=USER_ACCESS_TOKEN
Access Token Debugger
https://developers.facebook.com/tools/debug/access_token
Does not use the Graph API... but a very useful tool for manual debugging.
There is now an API version of the debugger tool.
See https://developers.facebook.com/docs/authentication/access-token-debug/
I would like to repeat this question for the current version of the API since I've come to a situation when Facebook doc clearly does not describe what is happening:
no expiry dates when requesting a new long-lived token with fb_exchange_token
no expiry dates when requesting debug_token information (expires_at = 0)
it does reply with an expiration date when redirecting the user to the auth page for the first time, but that does not help as I cannot extract the long-lived expiration date nor it will reply with this information for the second time
The debug tool here: https://developers.facebook.com/tools/debug/accesstoken says "Expires: Never".
Try this, it worked with me. Get the token with your app and paste it in the graph explorer as the token to be used for queries. Click on the info a see the expiration date.
example image
I hope it works for you too.
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
From the page above:
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.