Tuesday, March 27, 2012

Facebook access tokens and offline access deprecation

Uh oh, Facebook's changing things again...

Recently Facebook announced deprecation of offline_access permissions. So the question that is most frequently asked is "How do I get a token I can use when the user is not logged in?"

So, please add this to your FAQ.

How do I get a token for offline access?

Fairly simple. When the user is logged into your app, take their current access token (usually this one expires in an hour or so) and pass it as a query string parameter to a specific URL.

That url is:

https://graph.facebook.com/oauth/access_token?             
    client_id=[APP_ID]&
    client_secret=[APP_SECRET]&
    grant_type=fb_exchange_token&
    fb_exchange_token=[EXISTING_ACCESS_TOKEN]


Replace [APP_ID], [APP_SECRET] and [EXISTING_ACCESS_TOKEN] with your application values and the current access token, and in the response from Facebook, you will get a 60 day access token.

Why is Facebook making it hard?

In my opinion, I believe it is to reduce the number of spammy apps. Facebook says it's to drive more traffic to your app and also to ensure that your app is relevant and important to the user. I've heard of Facebook also wanting to ensure that the apps become less independent and more dependent on user interaction. Most developers do hope that their app is relevant and useful to the user. And most developers are not trying to spam. However, because of the naughty ones, the rest of us have to suffer who want to do something like making it easier for marketers to schedule posts in advance.

Can I exchange my 60 day access token for a new 60 day access token?

No, sorry you cannot. You can only exchange a valid (meaning current) user access token for an extended one. You cannot extend an already extended access token.

Final thoughts

So with this knowledge, we need to make our apps more engaging and let the user know they will need to visit fairly often. For those apps that do automated work with no user interaction, this means someone will have to manually get a 60 day token (I prefer to use the Facebook Graph API Explorer Tool) and plug it into their application via refreshable settings, as opposed to hard-coded in compiled apps.

6 comments:

  1. Is this still working for you? I noticed yesterday our original tokens stopped being good for 60 days and so I implemented this. But the response I get back is still only good for around 2 hours.. ie this:

    access_token=AAAEHLUxxx...xx&expires=4404

    ReplyDelete
    Replies
    1. I went to the Graph API Explorer tool (http://developers.facebook.com/tools/explorer) and got a normal access token. Expires in about an hour according to the linter tool (https://developers.facebook.com/tools/debug). So I use the fb_exchange_token link and exchanged it. The full JSON response looked like "access_token=ACC_TOK&expires=5184000". I took that extended access token to the linter and the linter tells me that this new access token works for 60 days. Their exact wording is: "1339270558 : about 2 months left"

      Delete
  2. .... mmm what about logged out user!? ... is this token works only for login user? ... facebook make my life hard!!

    ReplyDelete
  3. I keep getting an invalid Callback error. Using the exact url listed above with my appid, secret and a valid accesstoken.

    Any ideas how to fix?

    ReplyDelete
    Replies
    1. Usually this is caused by a configuration issue. Try the same order of operations via facebook's graph explorer tool, making sure you select your app from the drop down.

      Delete
    2. Usually this is caused by a configuration issue. Try the same order of operations via facebook's graph explorer tool, making sure you select your app from the drop down.

      Delete