Extending facebook access token after 60 days

10
votes

Is it possible to extend the 60 day access token? I read somewhere that when a user visits your site it can be extended? (for another 60 days)? Will this be the same token or a new token entirely?

I basically want offline_access like it used to be. I have a small jquery script that displays the user's facebook wall on their own site.

I also read this:

""You will need to get the user to reauthenticate again within 60 days to grab a new token." --- nope. As long as there is publish_stream permitted - you don't need user's tokens ever. Until user deletes the application from apps list - you can post the messages, even after 100 years. So, no, there is no reason to persist any token additionally to application key and secret – zerkms Apr 5 at 9:02"

Is this true? Obviously I do not need publish permissions, I only want read stream permissions.

--Update:

Quote from FB:

"If you would like to refresh a still valid long-lived access_token, you will have to get a new short-lived user access_token first and then call the same endpoint below. The returned access_token will have a fresh long-lived expiration time, however, the access_token itself may or may not be the same as the previously granted long-lived access_token"

So how exactly do you get an entirely new token? FB.login method simply returns the existing (non-expired) token. Any ideas?

4
phpjqueryfacebookauthorizationdeprecated
I hope @zerkms has tested and verified his "100 year" statement... ;-Pdeceze

4 Answers

3
votes

For extending access token expiry date use,

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

For more details take a look on http://developers.facebook.com/roadmap/offline-access-removal/

2
votes

No. You can not extend the token pass the 60 days, you can only extend short lived tokens and when you do that you get a long lived one which is 60 days.

You can also have all the permissions but unless you have a valid access token then you can not make api requests (well, you can but will get an exception).

I'm not sure how you get the 60 days token, if it's client side (and then extending it) or the server side, but according to the Removal of offline_access permission official post:

Scenario 3: Server-side OAuth Developers

...

If the call is made while there is still a valid long-lived user access_token for that user, the returned user access_token from this second call may be the same or may have changed, but in either case the expiration time will be set to a long expiration time.

Or

Scenario 4: Client-side OAuth and Extending Access_Token Expiration Time through New Endpoint

....

Please note, the endpoint can only be used to extend the short-lived user access_tokens. If you pass an access_token that had a long-lived expiration time, the endpoint will simply pass that same access_token back to you without altering or extending the expiration time.

...

1
votes

You can use the following code using the PHP SDK

$extendedToken = $facebook->setExtendedAccessToken();
$token = $facebook->getAccessToken();
print_r($token);

After the user has logged in and has provided you with the required permissions. You can also the retrieve other extended access tokens, like for Page, after simply using Graph API call

$facebook->api('<PAGE_ID>?fields=access_token');

This will return the extended access token for the Page. Provided you have asked for manage_page permission.

0
votes

Sujathan is correct - there is a Facebook page documenting what to do since the change: http://developers.facebook.com/roadmap/offline-access-removal/

Send a get request to the following url:

https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN

Also, it looks like this is a duplicate: How to extend access token validity since offline_access deprecation