Do Facebook Oauth 2 0 Access Tokens Expire

Question

I am playing around with the Oauth 2 0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire  If so  is there a way to request a long-life access token

User · Answer

Try this may be it will help full for you

https://graph.facebook.com/oauth/authorize?
    client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
    redirect_uri=http://www.example.com/

To get lifetime Access Token you have to use scope=offline_access

Meaning of scope=offline_access is that :-

Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012. and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..

User · Answer

Basic the facebook token expires about in a hour  But you can using  exchange  token to get a long-lived token https   developers facebook com docs facebook-login access-tokens  GET  oauth access token        grant type fb exchange token amp                 client id  app-id  amp      client secret  app-secret  amp      fb exchange token  short-lived-token

User · Answer

I came here with the same question as the OP  but the answers suggesting the use of offline access are raising red flags for me   Security-wise  getting offline access to a user s Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on  and should not be used lightly  unless you really need it    When a user grants this permission   the application  can examine the user s account from anywhere at any time   I put  the application  in quotes because it s actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials   I would not use this feature to work around a short token lifetime  that s not its intended purpose   Indeed  token lifetime itself is a security feature   I m still looking for details about the proper usage of these tokens  Can I persist them   How do should I secure them   Does Facebook embed the OAuth 2 0  refresh token  inside the main one   If not  where is it and or how do I refresh    but I m pretty sure offline access isn t the right way

User · Answer

check the following things when you interact with facebook graph api   1  Application connect URL should be the base of your  redirect uri  connect URL - www x-minds org fb connect  redirect uri -  www x-minds org fb connect redirect 2  Your  redirect uri  should be same in the both case  when you request for a verification code and request for an access token  redirect uri -  www x-minds org fb connect redirect 3  you should encode the the argument when you request for an access token 4  shouldn t pass the argument  type client cred  when you request for an access token  the authorization server will issue a token without session part  we can t use this token with  me  alias in graph api  This token will have length of  40  but a token with session part will have a length of 81   An access token without session part will work with some cases  eg  -https   graph facebook com  access token 116122545078207 EyWJJYqrdgQgV1bfueck320z7MM  But Graph API with  me  alias will work with only token with session part

User · Answer

Hit this to exchange a short living access token for a long living non expiring pages  one   https   graph facebook com oauth access token                   client id APP ID amp      client secret APP SECRET amp      grant type fb exchange token amp      fb exchange token EXISTING ACCESS TOKEN

User · Answer

This is a fair few years later  but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app  and extend the API token for a couple of months  Might be helpful during development

User · Answer

Note that Facebook is now deprecating the offline access permission in favor of tokens for which you can request an  upgrade  to the expiry  I m just now dealing with this  myself  so I don t have much more to say  but this doc may help   https   developers facebook com docs offline-access-deprecation

User · Answer

log into facebook account and edit your application settings account -  application setting - additional permission of the application which use your account   uncheck the permission  Access my data when I m not using the application offline access    Then face will book issue a new token when you log in to the application

User · Answer

I don t know when exactly the tokens expire  but they do  otherwise there wouldn t be an option to give offline permissions   Anyway  sometimes requiring the user to give offline permissions is an overkill  Depending on your needs  maybe it s enough that the token remains valid as long as the website is opened in the user s browser  For this there may be a simpler solution - relogging the user in periodically using an iframe  facebook auto re-login from cookie php  Worked for me

User · Answer

Yes  they do expire  There is an  expires  value that is passed along with the  access token   and from what I can tell it s about 2 hours   I ve been searching  but I don t see a way to request a longer expiration time

User · Answer

since i had the same problem - see the excellent post on this topic from ben biddington  who clarified all this issues with the wrong token and the right type to send for the requests   http   benbiddington wordpress com 2010 04 23 facebook-graph-api-getting-access-tokens

User · Answer

After digging around a bit  i found this   It seems to be the answer   Updated  11 April 2018    The token will expire after about 60 days  The token will be refreshed once per day  for up to 90 days  when the person using your app makes a request to Facebook s servers  All access tokens need to be renewed every 90 days with the consent of the person using your app       Facebook change announce  10 04 2018   Facebook updated token expiration page  10 04 2018   offline access  Enables your application to perform authorized requests on behalf of the user at any time  By default  most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application  This permission makes the access token returned by our OAuth endpoint long-lived   Its a permission value requested   http   developers facebook com docs authentication permissions  UPDATE  offline access permission has been removed a while ago   https   developers facebook com docs roadmap completed-changes offline-access-removal

User · Answer

You can always refresh the user s access token every time the user logs into your site through facebook  The offline access can t guarantee you get a life-long time access token  the access token changes whenever the user revoke you application access or the user changes his her password   Quoted from facebook http   developers facebook com docs authentication      Note  If the application has not requested offline access permission  the access token is time-bounded  Time-bounded access token also get invalidated when the user logs out of Facebook  If the application has obtained offline access permission from the user  the access token does not have an expiry  However it gets invalidated whenever the user changes his her password    Assume you store the user s facebook uid and access token in a users table in your database every time the user clicks on the  Login with facebook  button  you check the login statususing facebook Javascript API  and then examine the connection status from the response if the user has connected to your site  you can then update the access token in the table

[facebook] Do Facebook Oauth 2.0 Access Tokens Expire?

Examples related to facebook

Examples related to oauth