Access Token expire time with offline_access permission

6
votes

Facebook Permissions page states the following about offline_access:

Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

Then I read this topic http://developers.facebook.com/docs/authentication/

Tried this:

https://graph.facebook.com/oauth/access_token?

 client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
 client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

This url without offline_access permission responding like this:

access_token=.....&expires=5462

But with offline_access permission responding just access_token. I dont get this, facebook says its long-lived but how long lived?

How can I learn when expires access token with offline_access permission?

4
facebook
please take note this support will be deprecated soon, On October 3, 2012, the offline_access permission will be removedajreal

4 Answers

7
votes

Facebook introduced a new endpoint that allows developers to extend a generic access token (~2 hour lifespan) to a 60 day token. It's as simple as sending an HTTP GET to:

https://graph.facebook.com/oauth/access_token?             
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

The response is a bit wonky (compared to their normal JSON response), so be prepared to parse the response. I chose PHPs parse_url function.

// url to curl (note: make sure you pass in the correct values for your app
// and the user access token you'd like to exchange.
$url = 'https://graph.facebook.com/oauth/access_token?client_id=$fb_app_id&client_secret=$fb_app_secret&grant_type=fb_exchange_token&fb_exchange_token=$access_token;

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$response = curl_exec($ch);

curl_close($ch);

// parse response
parse_str($response, $token_data);

// exchanged token
$access_token = $token_data['access_token'];

echo 'exchanged access token: ' . $access_token;

Once you have the exchanged token, head over to the Facebook Access Token Debugger to check that your code is working properly. If properly exchanged, the expiration date should be 60 from the current.

https://developers.facebook.com/tools/debug

If you're worried about your access tokens expiring, you can check the expiration on runtime and call for a new 60 day access token if the expiration time is approaching. A less efficient (but easier) method would be to exchange your token every time a user visits.

4
votes

Access tokens returned when using the offline_access permission never expire.

Edit: According to the documentation the tokens are 'long-lived'. I'm assuming you will just have to handle the scenario where they no longer work (if that even happens).

2
votes

The token will expire,

According to new policy on facebook: https://developers.facebook.com/roadmap/offline-access-removal/#extend_token

offline_access is no longer there anymore!

=[

2
votes

The offline_access permission is deprecated and has been removed as of December 5th, 2012 The access tokens will now need to be periodically renewed. The flow is detailed here.

The deprecation roadmap is here.