Facebook access token missing expiry property (after offline_access deprecations)

1
votes

I have a FB app that used to ask for offline_access permission. At some point I changed that and to use the 60 days valid access_tokens.

Now, I am storing in db the access token and the expiration time (that comes as an integer in ms along with it). Every time when a user is using the app and he still have a valid token (I check the expiry time) I try to extend that token (no more than once per day).

My problem is that I start getting new tokens without an expiry field. When I check some of those with the debugger it says that never expires.

How is that possible? Wasn't offline_access removed on 5th of December? How can I be sure that every time when I request an access token I get one with an expiry time?

1
facebookfacebook-graph-apifacebook-oauth

1 Answers

1
votes

Facebook still issues tokens that never expire if page access tokens are requested for the user as well.

The flow goes something like this (facebook responses in italics) :

  • Request initial user token
    • oauth token granted with expire time of 60 days from now
  • Request page tokens for pages the user is an adminitrator on
    • oauth tokens granted for all pages and user token is extended to never expire (unless revoked).

There isn't a lot of documentation on this on any of facebook's pages but I have tested this pretty extensively and it happens every time.