Facebook application oauth tokens expire? - facebook-graph-api

Do facebook application access tokens expire? These tokens are used for administrative purposes.
I have had an access token work for more than two weeks, but I would like to see a reference to something official, which I cannot find.
EDIT: I was not clear enough in my initial question. I was referring to the administrative access tokens, which are not related to a specific facebook user id.

Access tokens expires when the facebook's user logs out it session, changes the application's permissions or after some time when application is no more used. The only case the access_token does not expire is when the extended permission offline_access has been granted.
Source: http://developers.facebook.com/docs/authentication/permissions ("By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application.").

It looks like administrative access token do not expire. I have had tokens active for several weeks.

Related

Revoking 1 token revokes all tokens of same OAuth Client ID + User Consent Pair

I'm experiencing a situation where:
I have a Google project, using an OAuth 2.0 Client (for web applications), to get consent for some scopes from users. The authorization parameters used in the redirect to Google uses the following values for the parameters (only including the possibly relevant params):
access_type - offline
response_type - code
include_granted_scopes - true
If a user consents access to the app, the app gets an access token to access the scopes granted.
If the same user consents again (while the previous access token hasn't been revoked yet) to the same app (using the same OAuth 2.0 Client), a new access token gets issued to the project.
The Google project has 2 different tokens now, and both access tokens work for accessing the scopes granted. Oddly though, the user would see only a single entry for the Google project/app in the users Apps with access to your account page.
The issue is that if any of the token gets revoked, all of the active tokens get revoked (attempts to use the access token results in an invalid_grant error, with the Token has been expired or revoked. error description). While I haven't tested beyond having 2 live/valid tokens at the same time, I suspect the behavior would be the same for more than 2.
I've been looking through the Google OAuth 2.0 docs to find some documentation regarding this behavior, or find anything referencing what happens to companion tokens when one gets revoked, but was unable to find anything explaining this behavior.
I, at first, thought that it was maybe due to my usage of incremental authorization, and thought that maybe revoking the latest access token revokes all preceding ones, but after experimenting with include_granted_scopes=false, the behavior was still the same.
For now, I've restricted users to be able to consent only once (unless a token expires), but I'm curious about the explanation for this behavior - where revoking 1 token revokes all of them.
Actually access tokens are independent. An access token by design will work for one hour. In theory even if the user revokes your access the access token will still work for the remainder of the hour it was originally valid for. This is standard Oauth2 functionality they are intended to give access for an hour that is why it is called a bearer token the bearer of that token is granted access for an hour.
What i suspect that you are seeing is the refresh token being revoked as this will cause a invalid_grant error. If you request access of the user using offline access you are granted a refresh token. If you request consent of the user again you get another refresh token. There can be up to fifty outstanding refresh tokens for a single user.
If the user revokes the access via their google account, or if your application revokes the access. Then yes all of the outstanding refresh tokens will be revoked. As your applications access to the users account has been revoked not the single refresh token. Note there are actually serval reasons why a refresh token can expire they can be found here refresh token experation
This is standard Oauth2 behavior not google specific.
Remove third-party account access
If you gave Google Account access to a third-party app or service you no longer trust or want to use, you can remove its access to your Google Account. The app or service won’t be able to access any more info from your Google Account, but you may need to request that they delete the data they already have.

Get Facebook User Access Token without user login in Graph API 2.2?

Given my app has been authorized once by the user, will it be able to get new access tokens without requiring the user to log in again?
If yes how can it be done? (preferably in Node.js)
All other answers I found seem to refer to old versions of the API.
No, User Access Tokens are valid for a very short time, and you can only extend them to 60 days. After that, the user MUST visit the App again. You can NEVER get User Tokens without user interaction. This was not even possible with older API versions. There was only an offline_access permission some years ago.
More information about Access Tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
The new API gives Facebook users more security control by allowing the apps provider to set the expiration of the token to the maximum of 60 days. So, as from I know, there is no way for the user to authorize the token just once and use it forever.

Refreshing an expired access token for specific user

The application which I am building maps a user_id to multiple facebook accounts. I have access tokens for each of these mapped accounts and everything works nicely. There is a problem, though, when one of these access tokens expires but the user is logged in to Facebook as a different user than the one to whom the expired access token belongs.
I read all there is about obtaining a new access token for the currently logged in user but I found nothing about the case when the user whose access token expired is not logged in to Facebook.
I would appreciate your thoughts and possible solutions.
Users can't have multiple Facebook accounts, so that part of your question doesn't entirely make sense, but in general, if an access token expires you need the user to come back to your app and go through the Authentication flow again, which will give you a new access token for that user
I believe the only way to get an updated access token would be to go through the whole authentication process again from the initial login screen.
Depending on the technology with which you're building your application, the only way I can imagine you'd handle logging in to a Facebook account without logging out of an existing one is to set up parallel instances of web browsers, so long as they don't share things like cookies.

What exactly will happen to user access tokens with offline_access once that permission is permanently deprecated?

We currently have many users with offline_access user tokens which we use to manage pages on their behalf. I have read the Removal of offline_access guide and the majority of the changes are clear, however there is one unknown we'd like to clarify.
Following the permanent deprecation of offline_access, we will switch to using non-expiring page access_tokens. We have thoroughly tested the workflow for new users, and have found no problems with exchanging short-lived tokens for long-lived ones, and then retrieving non-expiring page access_tokens using long-lived user access_tokens.
My query relates to retrieving non-expiring page tokens using existing offline_access access_tokens. The last sentence of 'Scenario 5: Page Access Tokens' in the aforementioned guide indicates that you should be able to use either long-lived access_tokens or offline_access access_tokens to retrieve non-expiring page access tokens, however when we tested with the offline_access tokens, the page access_tokens returned had a 2 month expiry date.
As the guide also states in Scenario 2 that offline_access tokens will only have their expiration date truncated to 60 days when the permission is permanently deprecated, we are making the assumption that at that point all offline_access tokens will be converted to long-lived user tokens.
If this assumption is correct, we have no problem as we already know page access_tokens obtained using long-lived user tokens have no expiry. However, if this assumption is incorrect and offline_access tokens will simply be given an expiry date at the point of deprecation, we have a problem as it seems that page access tokens retrieved with offline_access tokens will expire.
Is somebody able to confirm this assumption?
tl;dr When the offline_access permission is deprecated, will existing offline_access access_tokens be converted into long-lived user access_tokens, or will they just be given an expiry date?
http://developers.facebook.com/roadmap/offline-access-removal/
Scenario 2: If you have been previously requesting offline_access - updated 4/30/2012
Once the migration has been enabled, existing use access_tokens, with the offline_access permission, will continue to work without any change to their expiration time. However, new users to your app will not be prompted for the offline_access permission in the Auth Dialog and will receive either a short-lived or long-lived access_token depending on your environment and how you are requesting the access_token (client or server-side OAuth, see Scenario 3 and 4 below).
After the offline_access removal date (see roadmap for exact date), all existing offline_access access_tokens will have their expiration time truncated to 60 days. This truncation will be transparent to the user and your app will continue functioning normally; Facebook will send an updated message through the weekly developer round-up when this truncation will occur.

Find Expire Time for an access token

Is there any way to use the graph api to find out when a page access token, or application token will expire?
Update: There is a new API endpoint to access information about an access token. You can find info here: Debugging Access Tokens and Handling Errors
https://graph.facebook.com/debug_token?input_token=INPUT_TOKEN&access_token=ACCESS_TOKEN
input_token: the Access Token to debug
access_token: your App Access Token or a valid User Access Token from a developer of the app.
--
You should try to make sure that you store each token's expiration time along with the access token when you get it. For a page access token, that means storing the expiration time of the user access token. If you would like to manually discover expiration times for tokens you have today, you should use Facebook's Access Token Debugger tool. However, you should not be relying on expiration times alone -- in practice, many tokens will expire much earlier than their expiration time.
Application access tokens will never expire, unless the application secret key is reset.
Page access tokens last up to 60 days (5184000 seconds), but more importantly, they last as long as the user access token that was used to acquire them. So they will be invalidated as soon as the user that you got them from:
logs out of FB.
changes password.
deauthorizes your application.
Basically, when you lose the user's token, you will lose the page's token. Instead, you should retrieve page access tokens once per user access token. If you throw out a user access token, throw out the page token. You should not be trying to store page access tokens for any significant period of time. Instead you should get them as needed and forget them when a user's session dies.
To get a new page access token:
https://graph.facebook.com/PAGEID?fields=access_token&access_token=USER_ACCESS_TOKEN
Access Token Debugger
https://developers.facebook.com/tools/debug/access_token
Does not use the Graph API... but a very useful tool for manual debugging.
There is now an API version of the debugger tool.
See https://developers.facebook.com/docs/authentication/access-token-debug/
I would like to repeat this question for the current version of the API since I've come to a situation when Facebook doc clearly does not describe what is happening:
no expiry dates when requesting a new long-lived token with fb_exchange_token
no expiry dates when requesting debug_token information (expires_at = 0)
it does reply with an expiration date when redirecting the user to the auth page for the first time, but that does not help as I cannot extract the long-lived expiration date nor it will reply with this information for the second time
The debug tool here: https://developers.facebook.com/tools/debug/accesstoken says "Expires: Never".
Try this, it worked with me. Get the token with your app and paste it in the graph explorer as the token to be used for queries. Click on the info a see the expiration date.
example image
I hope it works for you too.
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
From the page above:
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.