-1

I have posted this question in Facebook Developer Group but no-one could give a compete answer. I have a Facebook application which uses server side authentication. The code looks like this:

$config = array();
  $config['appId'] = $fbconfig['appid'];
  $config['secret'] = $fbconfig['secret'];
  $config['fileUpload'] = false; // optional

  $facebook = new Facebook($config);


    //Facebook Authentication part

    $mobile = false;
    $code = false;
    if (isset($_GET["code"]) && !empty($_GET["code"]) && strlen($_GET["code"])>1){
    $code  = trim($_GET["code"]);


    }

    //MOB VAR
if (isset($_REQUEST['mob']) && !empty($_REQUEST['mob']))
    {
    mobile = true; 

    }else{

         }



    if ($mobile){
 $loginUrl = $facebook->getLoginUrl(
     array(
     'redirect_uri' => $fbconfig['baseUrl'].$loginpart,
     'scope'  => 'email,user_likes'
          )
                                    );

 $token_url = "https://graph.facebook.com/oauth/access_token?client_id=".APP_ID."&redirect_uri=".urlencode($fbconfig['baseUrl'].$loginpart)."&client_secret=".$fbconfig['secret']."&code=".$code;
}else{


 $loginUrl = $facebook->getLoginUrl(
            array(
            'redirect_uri' => $fbconfig['appBaseUrl'].$loginpart,
            'scope'  => 'email,user_likes'
                 )
                                    );
$token_url = "https://graph.facebook.com/oauth/access_token?client_id=".APP_ID."&redirect_uri=".urlencode($fbconfig['appBaseUrl'].$loginpart)."&client_secret=".$fbconfig['secret']."&code=".$code;
}




if ((!isset($_GET['code']) || empty($_GET['code']) ) ) {
        echo "<script type='text/javascript'>top.location.href = '$loginUrl';</script>";
        exit;
    } else{
   if ($code){
    $response  =  file_get_contents($token_url);

    $params  = null;
    parse_str($response, $params);
    $access_token = $sessionKey = $AccessToken = $params['access_token'];

    if(isset($AccessToken) && !empty($AccessToken)){
    if(isset($params['expires'])){
      $ExpDate = $params['expires'];

I shortened the code not to annoy You.

THE PROBLEM

For some reason the code returns short $ExpDate which can be from 3000 seconds to 7000 seconds. This happens not for all users but to 10%-15% of them.

What I have tried

  • Despite the fact Facebook should return long-living access_token I tried to exchange it with the /oauth/access_token? url. No result:it returns the same expire time.
  • I tried to catch the $SERVER['HTTP_USER_AGENT'] to find out what in common do the users have with short-living access_tokens. No result:everything is different(they can be from mobile device, desktop, IOS native Facebook app....)
  • I changed my settings from privacy settings to every possible version, installed, removed application many times trying to reproduce the situation. No result: for me it works perfectly.
  • I saved the code of the user and tried to get the access_token manually. I was not able to do that as I had forgotten that the codes can be used only one time.

How can You Guys Help

  • If someone has the same authentication method please check your database. Do you have the same problem?
  • If someone has an Idea why could this happen please help to find the reason.
  • If we find out that this is a bug we can create a bug report on Facebook

Thank you.

Yervand Khalapyan
  • 858
  • 6
  • 21

1 Answers1

0

The behavior you're seeing is correct.

You're currently exchanging your code for a short-lived access token - which is required. Since Facebook removed the offline_access permission, the only way to get a longer lived access token is to exchange your short-lived access token for a long-lived access token.

Please see the article on removal of offline_access specifically Scenario 4 which relates to OAuth. This is where they introduced the concept of long-lived access tokens and tell you how to get one.

The short story to accomplish this is to take your short-lived access token - say AQADEADBEEF and GET this...

https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id={client_id}&client_secret={client_secret}&fb_exchange_token=AQADEADBEEF

Notice the 4 parameters grant_type, client_id, client_secret, and fb_exchange_token. The URL is the same as when you gained your original access token, but the parameters are a bit different. Insert your client_id and client_secret as appropriate

You'll then get an access token with a much longer expiration time - 90 days I believe. Facebook is quite ambiguous about the length of any access token. You'll only know the expiration when you get it. The long-lived access token will still expire and Facebook currently offers NO way to renew it.

Andy Jones
  • 6,205
  • 4
  • 31
  • 47
  • Yervand, I seriously doubt you read my answer. You are NOT exchanging your short-lived access token (which you are obtaining) for a long-lived access token. This is nowhere in the wall of text you posted. Your comment is rude, your wall of text question is not concise, and you have the audacity to dismiss an answer that you received for FREE. Consider your etiquette. – Andy Jones May 27 '13 at 21:22
  • I've expanded on my answer to help clarify some concepts - if you'd like to engage in a constructive dialog, happy to do so. – Andy Jones May 27 '13 at 21:36
  • Dear Andy have you read this paragraph 'Despite the fact Facebook should return long-living access_token I tried to exchange it with the /oauth/access_token? url. No result:it returns the same expire time.'. If you have had read the whole question trying to help not gain score you would understand that I have done the thing you told. – Yervand Khalapyan May 28 '13 at 09:23
  • Where is the code for that? Neither of your `$token_url` strings are for a long-lived access token. They are both for trading your `$code` for a short-lived access token. – Andy Jones May 28 '13 at 17:38