ChatGPT解决这个技术问题 Extra ChatGPT

Do Facebook Oauth 2.0 Access Tokens Expire?

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?

To add some details to this question: even the offline_access get invalidated when user change his/her Facebook password. So it's better to play safe and re-get a new access token if you receive errors when using the old one.
yo guys, You all just simply rock. Whatever the question is, I just get it solved... Thank you all
It looks like Facebook is deprecating the offline_access permission on May 1st. In the future all access tokens will expire when the "expire time" (60 days) has run out, the user changes his password, the user de-authorizes your app, or the user logs out. API. P.S. I'm not sure why Facebook is setting the new "expire time" to 60 days if access tokens will still expire on logouts (seems like users tend to logout well within 60 days). Maybe I'm missing something...expiration
The access_token behavior is changing now, you should look up the July 2012 "Breaking Changes" -- the offline_access permission is being deprecated and the access_token will have a long life cycle.

i
iluvatar_GR

After digging around a bit, i found this. It seems to be the answer:

Updated (11/April/2018)

The token will expire after about 60 days.

The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.

All access tokens need to be renewed every 90 days with the consent of the person using your app.

Facebook change announce (10/04/2018)

Facebook updated token expiration page (10/04/2018)

offline_access: Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

Its a permission value requested.

http://developers.facebook.com/docs/authentication/permissions

UPDATE

offline_access permission has been removed a while ago.

https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/


In response to this, i started an open source library that may be of some use to you guys. Its an oAuth lib that aims to support all social networks with oAuth implementations. It already supports extended permissions including offline posting. code.google.com/p/socialoauth
Even offline_access tokens expire if the user changes their password on Facebook.
Unfortunately it's not a "clean" solution to the problem at hand. First or all asking for this permission alerts the user to the additional permission (e.g. this application will be able to access your facebook account at ANY time), which turns a LOT of potential clients off. Second of all if the use changes his password, this token won't be valid. So there needs to be a better way (e.g. refresh token) to get a new access_token, especially for rich-client ajax-driven web applications.
According to their api documentation offline_access will no longer be supported as of May 2, 2012.
@Tendrid Your library only supports Facebook and Twitter.
t
techhunter

Try this may be it will help full for you

https://graph.facebook.com/oauth/authorize?
    client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
    redirect_uri=http://www.example.com/

To get lifetime Access Token you have to use scope=offline_access

Meaning of scope=offline_access is that :-

Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived. But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012. and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..


I would like to inform you that fb has changed in his api & now no life time token is available,Now offline access will be active for 60 days.
T
Tripp Lilley

Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:

https://developers.facebook.com/docs/offline-access-deprecation/


D
David Pope

I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.

Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.

I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.


same doubts here david. did you find more information on how to secure tokens stored for offline access?
Facebook's docs are terrible, but I think the situation is that it's reasonably safe to persist access tokens NOT acquired with offline_access. While it's true that anyone who gets access to it (while the FB user is still logged in) may do anything for which the user has granted you permission, it's not that bad since the tokens are invalidated as soon as the user logs out of facebook anywhere. It's still a security hole (I find it odd that you don't have to supply your app secret on the /me requests), but it isn't open-ended. If anyone groks this better feel free to correct me.
T
TerryMatula

Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.


If you request the 'offline_access' permission, the token won't expire.
@Brendan: But it will get invalidated as soon as the user change his/her Facebook password
@HoàngLong any reference to this?
z
z3cko

since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.

http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/


i
imikay

You can always refresh the user's access token every time the user logs into your site through facebook. The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.

Quoted from facebook http://developers.facebook.com/docs/authentication/

Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.

Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.


M
MPaulo

Hit this to exchange a short living access token for a long living/non expiring(pages) one:

https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN 

S
Sreekanth P

log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.


M
Mr Tung

Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token https://developers.facebook.com/docs/facebook-login/access-tokens

GET /oauth/access_token?  
    grant_type=fb_exchange_token&           
    client_id={app-id}&
    client_secret={app-secret}&
    fb_exchange_token={short-lived-token} 

m
martinedwards

This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.

https://i.stack.imgur.com/AX259.png


S
Sreekanth P

check the following things when you interact with facebook graph api.

1) Application connect URL should be the base of your "redirect_uri" connect URL:- www.x-minds.org/fb/connect/ redirect_uri - www.x-minds.org/fb/connect/redirect 2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token) redirect_uri - www.x-minds.org/fb/connect/redirect 3) you should encode the the argument when you request for an access_token 4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81). An access token without session part will work with some cases

eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM. But Graph API with "me" alias will work with only token with session part.


C
Community

I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.

Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php

Worked for me...