I have a number of PHP scripts that pull data from my Facebook profile.
I had set these up with an Access Token that I took from the Graph Explorer.
https://developers.facebook.com/tools/explorer/
I ensured that when generating the tokens, I asked for the offline_access extended permission.
These scripts worked fine for months, but over the last few days, I notice that whenever I logout of Facebook, the token becomes invalidated, and I have to log back in each time and get a new one.
My understanding was the an offline_access token survives a logout, but not a password change.
Has something changed in this regard?
I've done some more research on this.
FB are deprecating the offline_access permission. That means it will no longer be possible to obtain an access token that gives your app open-ended permission to query a user's data.
Instead, your app will have to test the validity of any existing token, and it that token has expired, you will be able to swap it for a new one. Previously, if you had an expired token, you had to send your user through the auth process again to get a new one, so this is actually a positive development.
See: https://developers.facebook.com/docs/offline-access-deprecation/
In my own particular example, where I was using a token obtained from the Graph Explorer in a PHP script that queried the Graph with cURL (ie independently of a user session on FB), I can't however do this.
The Graph Explorer is an app in its own right, and it seems that in the last few days it has switched on the deprecate_offline_access migration in its settings, which means existing offline_access tokens obtained via Graph Explorer will now expire on logout.
Also, I can't issue a request in my script to swap the token, as this requires the APP SECRET for the Graph Explorer app, which I don't have.
Therefore, existing offline_access tokens obtained as part of the standard auth process should continue to work, but offline_access tokens obtained via the Graph Explorer will not.
This effectively means that it is no longer possible to script interaction with the Graph where Extended Permissions are required. All such interaction will now have to occur within a user session.
I can see the logic in this, but its a bit of a spanner in the works for cron jobs etc.
I might suspect that with the change-over (while Facebook code is written to handle both old and new ways) that there might have been a bug introduces. If you can reproduce this issue, then it should be filed as a defect with Facebook at http://developers.facebook.com/bugs.
I've checked using a basic access token with a brand new app. I only asked for offline permissions. I checked the token in the linter and it says it was ok. I logged out of facebook then back in. Then rechecked the token. And sure enough it was invalidated. In my app settings I have deprecate offline_access set to Enabled.
For my next test, I set it to disabled and checked again. Sure enough Facebook invalidated that token.
For my next test, I checked with an app created a few years ago. It has the deprecate offline_access turned off. And sure enough it was able to keep the offine access token current and did not invalidate it at all.
I also tested with an app I created during last year's F8 conference, and it also behaved correctly (not invaliding the offline token) when I logged out of facebook.
So, I guess it might depend upon how long ago your app was created.
Related
I'm struggling with a the new OAuth verification process that Google has introduced. Earlier, my OAuth app was using sensitive scopes, and I made changes to ensure that the sensitive scopes are no longer required, and removed them from the OAuth consent screen configuration.
However, my OAuth consent screen is still being forced to go through the verification process (which is a black box and never seems to complete!)
I noticed the following user-cap being breached. Could the forced verification be because of this? How do I check which users are connected to my app, and also manually disconnect them? I have never bothered about this user-cap in the past, so it is quite possible that a number of these are internal/test users when the app was under active development and was being tested in production. Btw, if app simply deletes a user's refreshToken from the DB, and the user is forced to re-connect, will that count as +2 or +1 while calculating users against this cap?
Possibly related to How can I confirm the user limit of my google cloud/API? -- but that doesn't answer this question in detail.
I noticed the following user-cap being breached. Could the forced verification be because of this?
probably but only google can really anwser that
How do I check which users are connected to my app, and also manually disconnect them?
You cant there is no way for you to know what users where connected to your app and disconnect them unless you have saved a refresh token for these users if you have then you could remove them using the revoke command.
However this is no guarantee that the number google is displaying is going to change as it could be just a running total of users who have consented to your application in the past and not the ones who have currently consented. There is no way of know ing this as google hasnt told use.
if app simply deletes a user's refreshToken from the DB, and the user is forced to re-connect, will that count as +2 or +1 while calculating users against this cap
This may be true but that doesn't mean that the user has revoked your access to their application though their account. The only way to remove access is for the user to remove it in their account or for you to use the revoke endpoint to revoke them by force. Your application not having a refresh token doesn't mean that the user hasn't granted your application access.
Long story short your going to have to go though the verification process and wait for google to remove it when they see that you are no longer using the scopes that would require it.
Update: I have pinged someone on the team to see if this is working as intended or if it could be a bug. I will update this when i know more.
My app integrates Facebook login with the following permissions :user_education_history and user_work_history. The app was working just fine until today morning when I attempt to login I get the following error:
invalid scopes: user_education_history, user_work_history. This message is only shown to developers other app users will ignore these permissions if present.
I went through the docs and I discovered that they were deprecated on the 4th of this month but I cannot seem to find the new permissions for the education and the work history ... any help ?
Facebook is removing access to a lot of things as a result of recent negative press surrounding data mining of their users. In almost all cases the information is simply no longer available, there is no alternative method to access it.
More information is available in the Facebook developer blog:
https://developers.facebook.com/blog/post/2018/04/04/facebook-api-platform-product-changes/
https://developers.facebook.com/blog/post/2018/04/24/new-facebook-platform-product-changes-policy-updates
Note that the message you mention is only shown to Facebook accounts with developer credentials. Regular Facebook users don't see this message and the Facebook API simply ignores requests for scopes which are no longer allowed. If the data being requested are optional in the context of the app, you should create a test Facebook account and see how it behaves when requesting the data doesn't return anything (or causes unexpected errors).
I am building an in-house application which would accumulate the information from several social networks at once. Possibly, the URL of the application will not be known or it will not be allowed anywhere outside localhost.
One of the information pieces I will be accumulating is FQL insights table information: https://developers.facebook.com/docs/reference/fql/insights/ . As you may notice, this information is private, so I just cannot fetch it anonymously.
The application itself is written in a "configure once and use forever" fashion, and possibly the person using the application will not be allowed to the Facebook login credentials at all.
My problem is the Facebook login. As I understand the login with "forever access" is now deprecated and Facebook does not allow API access the same way as Twitter does (creating the forever lasting key and forgetting about it). Question is:
Is there any way to overcome the fact that I need to ask the person for permissions every time I would like to fetch them? What can be the longest period between asking?
My current thoughts about it are:
Creating a dummy user for the 'manager' and giving him read-only
access to FB pages, therefore enabling him to log in to the account.
Then asking him for the permissions every (n) hours when I need them.
Automatic log in to the FB account given that we have the
login/password for the account and obtaining the API key myself.
Which is doable? Did anyone have any experience in doing this kind of things?
What can be the longest period between asking?
You can use Long-lived user access_token which is valid for 60 days.Use below FB call to get extended access token:
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
You can check more details here:
https://developers.facebook.com/roadmap/offline-access-removal/
One more point which is worth to note here:
When a user change his password, deauthorizes an app their OAuth token get expired.
Hope this help !
I've been scouring the net for ages with this one, and I'm not sure if there is a solution at all, but thought I'd post and see if there's a response... thanks in advance!
Several of our customers (who we build websites for) have their Facebook feeds brought into their website (and their Twitter feeds). Before the removal of the offline_access permission, this was no problem. We'd set our app up, authenticate the account, get the access token and then we could bring in the live feed into their websites forever. However, now with the new system, there doesn't seem to be a way of doing this without human intervention.
Essentially, we have these websites bringing in the feeds from the relevant Facebook accounts, with the long access_token (60 day token). However, when this limit is reached, there is no "user" to re-authenticate the app, as its just the server that makes these requests. Is it a case of having to set reminders for all these accounts, and then every two months we (as the web agency) have to log in to all the accounts and get new access tokens to provide to the scripts so they can carry on working? Or is there an alternative which I am just not seeing?
Thanks again!
Neil.
There is no alternative that I know of. Once the token expires after 60 days, the user must re-authenticate.
No alternative way, user must login to provide you the new access token
https://developers.facebook.com/roadmap/offline-access-removal/
I've been digging through all docs I can find, but I cannot seem to verify this..
When I'm doing app authorization I'm asking for publish_stream from my visitor.
From to FB docs (http://developers.facebook.com/docs/reference/api/permissions/):
Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user- initiated sharing model.
It very explicitly states that I'm able to post at ANY time. But, a regular user access token expires after a certain time. So that won't be usable to post.
However, an APPLICATION access token can be retrieved at any time, without any user interaction. And when I've tested, I can successfully publish to a users feed (yes on their feed, not my applications feed) using the app access token.
I haven't waited 2+ hours for the initially obtained User token to expire though, but even if the user session was logged out, I was still able to post using the app token.
So, this is what I want, right? Yes!
But this is not documented anywhere, so my question is:
Is this an allowed/recommended approach? Will I run into any problems around this?
Thank you
this is the right way to do it, so you'll not run into any problems etc.
Just use the App access_token to publish on you app users walls.
Greetings,
Fredyy