Extending Facebook server-side access tokens gracefully

2k Views Asked by At

I have an application that used to use offline_access, which obviously needs changing since that's going away.

We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.

From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.

Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?

Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?


Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.

2

There are 2 best solutions below

2
On BEST ANSWER

Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.

9
On

I believe once the deprecation of offline_access is complete, obtaining/exchanging access tokens is the only way to do what you need.

Anyone who had offline access before the deprecation will still be able to use your application normally, for 60 days at least. Once this period is over, you have to re authorize users and extend their access tokens for another 60 days. To do this you have them log in, and authorize your app (if necessary). Then you extend their access token using fb_exchange_token, so it is good for 60 days.

I'm sure you have seen it, but it's all outlined in this article, more specifically the section about previously using offline_access. I also found this post useful for doing an upgrade. Here is another link that further details how to deal with invalid tokens.