I am interested how to handle AccessToken expiration when using the Facebook SDK for Android.
According to documentation of Access Tokens they are saying that developers don't need to worry about token expiration : "When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire."
Assumption A : I assume that the quote above implies that AccessToken.getCurrentAccessToken() returns always non-expired access token, or is my assumption wrong ??
In the Facebook Login for Android documentation they are saying : "If you want your app to keep up with the current access token and profile, you can implement AccessTokenTracker and ProfileTracker classes."
My question is: Why should I implement AccessTokenTracker, if (according to 1 ) the SDK make sure that token are refreshed before they expire ?
If my assumption is correct, then the getCurrentAccessToken() returns always the non-expired token, so there should be no reason to track the AccessToken ?
Thank you for help!
EDIT
My assumption A is wrong, because according to this docu the person has to login again if the access token is invalid.
Typically you would use the AccessTokenTracker if you also save the access token elsewhere. Let's say that you keep the access token server side (so you can make requests offline), and the SDK updates the token with a refresh, in that case, you'll want to update the token on your server as well, this allows you to do that.
Alternatively, if your app allows people to log off, or to switch to a different user, you can use the AccessTokenTracker and ProfileTracker to alert you when the user changes.
Related
My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.
Reading the API docs (https://developers.facebook.com/docs/reference/api/page/) I assumed that in order to read a public pages status updates, I would require "any valid access_token or user access_token" (quoting the docs here).
However, if I try to get the status updates for the public page, using my app access token, I receive the following response: "A user access token is required to request this resource"
GET 20531316728/statuses?access_token=myappaccesstoken
So, my question is if the docs are just plain wrong, I'm doing something wrong or whatever?
There is a clarification that needs to occur by Facebook [1]. The docs are either outdated or Facebook has changed their mind on handling these updates which is interesting seeing that
GET /PAGE_ID/feed?access_token=myappaccesstoken
Works (and holds all the statuses). I was told by someone in IRC #facebook that maybe the statuses call is more expensive (Not too bought on this idea).
My current stance is that either
any valid access_token or user access_token was supposed to imply those excluding app tokens
Facebook realizes that one can bypass the OAuth Flow by using an app token on pages when Facebook desired some form of authentication.
In the end, these are all assumptions.
I haven't been able to get a clear answer out of any Facebook employee as to whether this is indeed a bug or an intentional removal of this feature.
[1] - http://developers.facebook.com/bugs/480742545315442
I'm trying to read likes on my friend's status. It is working fine if i copy the access token from the graph api explorer.
If i use the getAccessToken method. It just returns an array with the id of the status, which was passed by me.
Can anybody help me on how to pass the access tokens to the app.
You may say that why don't you continue with the token copied from graph explorer?
But due to the recent changes offline_access token has been removed, so that the token is expiring for every hour. By the way i'm using graph api with php.
The app needs a user access token if the status is not public – otherwise the API can not detect whether the current user is allowed to see it or not.
Get a long-lived access token: https://developers.facebook.com/roadmap/offline-access-removal/
On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.
as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.
Do Facebook APP access tokens expire? These tokens are different than the USER tokens; they are acquired like this:
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id={0}&client_secret={1})
as described in the App Login section of the document at http://developers.facebook.com/docs/authentication/.
Are there any circumstances under which they will become invalid?
NB: This is NOT a question about USER access tokens (which are clearly documented). There was an identical question http://facebook.stackoverflow.com/questions/7322063/does-app-login-access-token-expire wrongly closed as duplicate of another question about USER access tokens.
Per the Facebook documentation:
An App Access Token is signed using your app secret and will not
expire; it will be invalidated if you re-key/reset your application
secret.
Creating an APP_ACCESS_TOKEN is really easy.
You can use your App ID/API Key and App secret
access_token = YOUR_APP_ID|YOUR_APP_SECRET
Example: 1234587968 | bghyuifjk3438483249235903502035023504305
I do know that one condition that will cause them to become invalid is if you reset the Application Secret using the Facebook developer tool.
I do not know if using the OAuth method to produce an App Token will cause it to have an expiration. However, if you scan Facebook's PHP SDK, you may notice that a non-expiring app token is made by concatenation app_id and secret:
/**
* Returns the access token that should be used for logged out
* users when no authorization code is available.
*
* #return string The application access token, useful for gathering
* public information about users and applications.
*/
protected function getApplicationAccessToken() {
return $this->appId.'|'.$this->apiSecret;
}
WARNING: I would never use this in client-code as it would publish your app secret. However, in a trust server environment, it seems like the way to go.
To test this, I went to the OpenGraph tool and erased my Access Token and typed in the concatenated value from the code sample. I then accessed my app's insights to verify that it would work:
<APP_ID>/insights/application_active_users
For me, the answer is not to find a token that doesn't expire, (since I do not trust Facebook), but to catch the expiring token and reset without taking up my users time. I found this and thought you might want to check it out.
"To ensure the best experience for your users, your app needs to be prepared to catch errors for the above scenarios. The following PHP code shows you how to handle these errors and retrieve a new access token.
When you redirect the user to the auth dialog, the user is not prompted for permissions if the user has already authorized your application. Facebook will return you a valid access token without any user facing dialog. However if the user has de-authorized your application then the user will need to re-authorize your application for you to get the access_token." Resource: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/