0

I am looking for the "correct" way to regularly poll Facebook to ensure the user's oauth token is still valid. I am using Facebook to validate the user's account into my own app. Their use of my app doesn't necessarily result in any Facebook graph calls, but I still need to know if the oauth token was invalidated since they logged into my app, eg. by a Facebook password change.

Facebook has a page explaining how to handle invalidations: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ They also have a /me URL that can be hit at any time to see if the token is currently valid. (eg. per Check if Ouath token is invalid) But what is the right pattern and frequency to poll beyond the user's initial login?

I am considering a solution like:

BAD: Check the oauth token's validity on every request to my app. (too heavy, slows down every request, probably makes facebook mad)

BETTER?: Check the oauth token's validity when the user makes a request to my app IF the oauth token hasn't been checked in more than X minutes

That last solution feels right, but I can't find any references to anyone else doing this.

Is this the best practice for polling oauth validity? Can anyone point to docs referring to this use case, or confirm you've solved this problem yourself?

Community
  • 1
  • 1
Squirrel7
  • 11
  • 2

1 Answers1

0

I would actually prefer using the method you suggested first. You don't need to poll the API to verify the integrity of a token -- If you try to execute an API call with an expired token,Facebook will return an appropriate error message. Just add a fail-safe to detect this to any calls you're making.

Max K
  • 9
  • 2
  • To hammer home why this doesn't work in my case, imagine my app *never* calls Facebook graph APIs. Facebook is being used solely as a replacement for making the user register yet-another account to use my app. My app may be used for several hours or even days without requiring another login, so I need to check more often than that whether the oauth token is still valid. – Squirrel7 Jul 24 '13 at 22:31
  • Why? if you're not making API calls why does it matter if the token has expired? – Igy Jul 24 '13 at 22:53
  • Because Facebook is being used as the authentication mechanism for my app. If someone is no longer authenticated to use my app, I need to stop them from continuing to use it. No different from how if you change your Facebook password because you left it logged in at a hotel, Facebook stops letting that hotel computer continue to defile your facebook account. – Squirrel7 Jul 25 '13 at 13:00