How to get Facebook _Account_ (i.e. Page) access tokens that never expire?

4
votes

This topic is extremely hard to Google for because of some unfortunate terminology choices, so here's a quick clarification before I ask my question:

Facebook accounts (i.e. a person's top-level, personal account) can have sub accounts (companies, brands, celebrities, etc) which Facebook unfortunately calls "accounts". The endpoint for interacting with these "accounts" is at [user id]/accounts. For the purposes of this question, I'll refer to these as "sub-accounts"

FACEBOOK STATEMENTS & ACTUAL OBSERVATIONS:

Facebook, in this post (https://developers.facebook.com/roadmap/offline-access-removal/), says a few things:

  1. That there are two types of access_tokens: "the long-lived user access_token will be valid for 60 days while the short-lived user access_tokens are currently valid from 1 to 2 hours" ACTUAL OBSERVATION: Seems true. My app only does server-side, so I can't confirm the short type.

  2. "if the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time by default" ACTUAL OBSERVATION: My server-side app does produce longer, 60-day expirations.

  3. "When requesting an extended access_token from... https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN ...if you pass an access_token that had a long-lived expiration time, the endpoint will simply pass that same access_token back to you without altering or extending the expiration time" ACTUAL OBSERVATION: This is not true in my case. When I pass the original 60-day token, I get a different token back. Furthermore, the new, different token does not work at all. The FB endpoint returns an authentication failure when attempting to use it.

  4. "When a user grants an app the manage_pages permission, the app is able to obtain page access tokens for pages that the user administers by querying [User ID]/accounts... By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire." ACTUAL OBSERVATION: The page access tokens my app retrieves (using the original, root, 60-day token) ARE expiring after 60 days when they should be infinite. Per #3, I can't try this with the new, different (supposedly extended) access token because it is invalid.

QUESTIONS:

  1. My server-side request produces tokens that are valid for 60 days. Requesting an extended token should echo the same token back, but doesn't. Why not?

  2. The new, different token I'm getting back doesn't work at all. Why not?

  3. If the original access tokens my app gets are the long, 60-day type, then the PAGE access tokens I retrieve with them should be non-expiring. But they do expire. Why?

Any help would be much appreciated!!!

Note to moderators: Before disabling this question for not being "code-oriented" enough, Facebook points all questions to Stack Exchange. https://developers.facebook.com/support/ If I can't ask this question here, then where would I ask it?

UPDATE: The officially-supported way of checking a token for validity is as follows:

graph.facebook.com/debug_token? input_token={token-to-inspect} &access_token={app-token-or-admin-token}

When I use this method, the app tokens I've got for my users show an expiration of "0" as they should. So I guess they are infinite. It's impossible for me to know for sure until 60 days have passed whether FB is telling the truth with "expires":0;

2
facebookfacebook-graph-api
Did you ever figure out if the Page level tokens expire? Facebook's api documentation suggest that but it's not 100% clearNullReference
I think the "UPDATE" section did the trick. My app is no longer active so I can't say for sure, but I think they did not expire.fivedogit

2 Answers

1
votes

First post, bear with me.

Taken from: https://developers.facebook.com/docs/facebook-login/access-tokens/

Even the long-lived access token will eventually expire. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.

After doing the above you will obtain a new short-lived token and then you need to perform the same exchange for a long-lived token as above.

When you try to extended a long-lived token, Facebook will send you a short-lived refresh token that. When you get this refresh token, it can be used the same way the tokens from the login flow are used to get another extended token from Facebook.

For your third question, Page access tokens have to use the Page admin's user token in order to for you to be able to receive authorization on behalf of the Page. Check your app permissions regarding re-authentication if you're having problems refreshing the Page token.

0
votes

No, you cant get Long lived access token , as they will expire after some time .Recently Facebook has Upgraded their Graph API version v-2.9 . In which one can only extend it's life to 60 days by below Api:

https://graph.facebook.com/oauth/access_token?client_id={your-client-id}&client_secret={client-secret}&grant_type=fb_exchange_token&fb_exchange_token={previous-access-token}