4

I have this code:

$facebook->api("/oauth/access_token?grant_type=fb_exchange_token&client_id=".$facebook->getAppId()."&client_secret=".$facebook->getAppSecret()."&fb_exchange_token=".$user->getFacebookAccessToken());

it does not throw any exception, but it returns null. I am trying to extend a short-lived Facebook User Access Token to be a long-lived Facebook User Access Token. However, after I have generated a new token and calling this request while the new token was still alive, I have waited for a few hours and started a browser where I was not logged in with my facebook account. Then I have logged in with a test user (to the application, not to Facebook), but unfortunately it was directing me to the Facebook login, which means that the Facebook User Access Token was somehow invalidated.

I was working based on the doc found here.

So, can someone enlighten me how should I send the request so Facebook will really extend the token's life cycle? Also, I am not sure how can I determine whether I have successfully extended the life cycle of a Facebook User Access Token. (I am not a Facebook fan, to say the least and I am new to the Facebook API too).

Thanks, guys.

EDIT: I have read this article and copied the setExtendedAccessToken method into my class with a few modifications to support my logic. Now the code which tries to extend the life cycle of the User Facebook Access Token is as follows:

$facebook->setExtendedAccessToken($user->getFacebookAccessToken());

Now it returns an array of two elements, the token and the expiry date. The expiry date is "5174078". I believe I am on the right track to solve this problem, am I?

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • Some of your question doesn't quite make sense - the token, if extended correctly, should remain valid for about 60 days and the expiry time should be in the response from the token extend endpoint- where are you storing your extended token? Are you sure you're using the same token for the same user, and not accidentally calling getAccessToken() in your PHP code when there's no Facebook cookies set? – Igy Jul 16 '13 at 00:17
  • Well, thank you for your observations, I will try to add more sense to my questions. I know the extended token should remain valid for a long time. I am storing the Facebook User Access Token in the database associated to the user, so yes, I am sure I am using the same access token for the same user. I believe you that the expiry time should be in the response, but I get null as the response, so I think something is wrong. My question is: if the parameters are correct, should my code work well (extend the token and return the extended token)? – Lajos Arpad Jul 16 '13 at 00:41
  • When you extend the short-lived token (1-2 hours validity) you received from the Javascript SDK you should get a response containing the updated token and its expiry or an error message, if you receive null you may be silently ignoring an error somewhere. You can't extend a code you created using the server side flow or extend an already-exchanged token in case that's what you're trying to do. You need the user to return while logged into FB. Overall, you should be able to get and store the token, then bootstrap the SDK with that token when your user returns (`$facebook->setAccessToken()`) – Igy Jul 16 '13 at 00:46
  • I am using PHP SDK. The user is logged in into Facebook in my tests and has a valid Facebook User Access Token already. I just try to extend it, but with little success. I am not ignoring silently errors. – Lajos Arpad Jul 16 '13 at 00:55
  • Also, I do not really understand how this works. If the user is not logged in into Facebook, then he has to log in? I have read that the Facebook User Access Token is a temporary password. So if it is not expired, then why should the user log in to Facebook if we already have a temporary password? The Facebook documentation was not much help either. – Lajos Arpad Jul 16 '13 at 01:07
  • @Igy, I have edited my question to add more sense to it. – Lajos Arpad Jul 16 '13 at 01:44

2 Answers2

4

Here's what I think you should be doing:

  1. An FB user, logged in, comes to your site and you get a short-lived token for them via the client side flow in the Javascript SDK or a long-lived token via the server-side flow with the PHP or some other SDK (it appears you are doing the first of these already)
  2. If it was a short-lived token, extend it and get a long-lived token via the API call to exchange the token (it appears you're doing this too)
  3. Save long-lived token to your database (not sure if you're doing this)
  4. When the user comes back to your app at some other point, logs in to your app via your own login system, but is not logged in to Facebook, you use the cached token from your database in ->setAccessToken() and then make calls to the Facebook API on their behalf

i think step 4 is your problem; I suspect you're seeing the user is logged-out of Facebook and sending them through the Facebook auth process again instead of having them log into your app via your own login mechanism, and reusing the token you stored before.

This is perfectly fine, but in that case there's no need for you to store the tokens, and you could do this all 'live' and require your users to be still logged into Facebook to fetch a new token 'live' instead of caching the token you obtained on their previous visit to your app.

Igy
  • 43,710
  • 8
  • 89
  • 115
  • Thanks for the answer. In the meantime I have found a few bugs in our version of the SDK, probably some hacks by a colleague. These problems were preventing the correct behavior of the site towards Facebook. So, it is most likely a local bug. However, token extension is deactivated currently, as even with the short-lived token we have problems. I will sort out the bugs and then will come back with more information. Thanks again. – Lajos Arpad Jul 17 '13 at 02:28
1

Just as an FYI cause I've been stumbling around with access token for the last 45 minutes. Via facebook's documentation: https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/

which seems to be a little dated, I was able to manually extend my existing short lived access token with: https://graph.facebook.com/oauth/access_token?
client_id=APP_ID& client_secret=APP_SECRET& grant_type=fb_exchange_token& fb_exchange_token=EXISTING_ACCESS_TOKEN

kyle
  • 568
  • 2
  • 10
  • 26