Facebook access token validity

1
votes

I use Facebook server side login flow to obtain a long-lived access token, which is valid for 60 days. Since I need access to the user's account all the time (i.e. I always need a valid access token), when the token is near expiration, I ask the user to reconfirm access to my application. The problem is that when the token is not yet expired, Facebook returns the very same token with not extended validity.

For example, a token just issued is valid for 60 days. In three days, the user reconfirms access to my application, but Facebook returns the same token, which is valid for 57 days only. I would like to obtain a fresh one (with 60 days validity) upon each confirmation.

On Stack Overflow, there are several questions about Facebook token validity, none of them, however, discusses this problem.

Thank you in advance.

1
facebookoauthfacebook-oauth

1 Answers

3
votes

According Facebook's documentation for extending access tokens, "Apps created from ... the server-side Login flow automatically get long-lived User Access Tokens. This long-lived token refreshes and extends each time the user triggers the auth flow."

Since this is not happening, you should file a bug with Facebook.

I would also recommend NOT checking for the access token expiration because an access token can expire for several reasons before the expiration date:

  • User changes password
  • You change your app secret
  • User deletes the app and then comes back to the app

Instead, you should just check for OAuth errors on every FB api call you make, and then redirect the user to the login flow if you detect an OAuth error, as described in this article on the Facebook Developers Blog on how to handle expired access tokens.