8

I'm using the Facebook PHP SDK to call relevant APIs to post and get data. At present I'm saving a user access token in the database but it expires after 60 days. How can I refresh a user access token?

1 . When do I need to refresh the access tokens? After it expires, or before?

2 . What is the best way to refresh access tokens?

3 . Should my users need to login again to refresh access token?

This is the function that I'm using to extend the access token. but expire time remain same.

public function getExtendedAccessToken($access_token)
    {       

        $token_url="https://graph.facebook.com/oauth/access_token";
        $params=array('client_id'=>self :: appId,'client_secret'=>self :: appSecretId,'grant_type'=>'fb_exchange_token','fb_exchange_token'=>$access_token);

          $response = $this->curl($token_url,$params);                  
          $response = explode ('=',$response);
          $response = explode ('&',$response[1]);
          $response = $response[0];       
          return $response;

    }
Sahil Mittal
  • 20,697
  • 12
  • 65
  • 90
Viral Solani
  • 840
  • 1
  • 9
  • 31

3 Answers3

6

The access token can't be refreshed just like that, the user should access the app again to get the new token.

You can refresh the token at anytime you wish. In fact, the best way is to refresh the token each time the user visits your app. In this way, the token will never be expired if the user keep visiting the app once in 60 days.

Sahil Mittal
  • 20,697
  • 12
  • 65
  • 90
  • Thanks for the reply. The issues is user may visit my app more than 100 times in a day. than it will be refresh by 100 times. is that ok?? and how can i refresh access token? – Viral Solani Jul 27 '13 at 06:00
  • Well, refreshing 100 times a day would probably be overkill, why not do it at most once per day? the access token refresh is clearly documented, pasting the endpoint parameters here would just be redundant: https://developers.facebook.com/docs/facebook-login/access-tokens/#extending – Igy Jul 27 '13 at 06:30
  • Yes I've implement this technique in my project but it is not exceeding the time. see the below point in that link. it mentions that you need to refresh the access token and that is my question how? – Viral Solani Jul 27 '13 at 09:00
  • Try the same tomorrow, u'll see the time extended. – Sahil Mittal Jul 27 '13 at 11:35
  • @sahil I've tried it and nothing happens see here are below two access token before extending and after extending. Before Extending :"CAAFpZAbXad7MBAHZCnN9haieepdpwDp70jAR16xoI63ETeDt5FZAVUtSkmPCF0SKRq62IeBpZASztZA2UiE0Ilw200Dq89Bx0ZAz2MtLBswnOq0kYcXHdnwVhuk5vljfrHt2ul99C1MH6UuMACk0B2N1FMkZAT5aMsZD". After Extending :"CAAFpZAbXad7MBAOvdyzOZBZCjbv2xE97C5gWt0vWKmr5HSYPJLqFl7hnbcBrR768ug6hg6Pndt1DDMEqrZAgcjLQea3blboYyB3iAX1xKU7I0CCmUy1uxtl9L6KwxXXRPMWHKxgMoK6DcgcWIwPYPtv1Mue7gj4ZD".. – Viral Solani Jul 30 '13 at 05:54
  • See this is the debug tool of facebook you can check both access token and the expire time duration is same https://developers.facebook.com/tools/debug – Viral Solani Jul 30 '13 at 05:57
  • this is my function that i use to extend tocken. ....public function getExtendedAccessToken($access_token) { $token_url="https://graph.facebook.com/oauth/access_token"; $params=array('client_id'=>self :: appId,'client_secret'=>self :: appSecretId,'grant_type'=>'fb_exchange_token','fb_exchange_token'=>$access_token); $response = $this->curl($token_url,$params); $response = explode ('=',$response); $response = explode ('&',$response[1]); $response = $response[0]; return $response; } – Viral Solani Jul 30 '13 at 05:57
  • @lgy. The link that you given to me mentions like "Apps are unable to exchange an expired short-lived token for a long-lived token. The flow above only works with short-lived tokens that are still valid. Once they expire, your app must send the user through the login flow again.". but i think i've long lived access token already that already have 60 days of expiration time. now my question is that how to refresh it. – Viral Solani Jul 30 '13 at 06:11
  • See, first of all the token after and before extending can't be the same. Please note, that only the `short-lived token` can be replaced with the `long-lived` one. Getting the long-lived token is simpler. After that, when you want to refresh your token, you should first move the user to the `login flow` and get the `short-lived` token and then exchange that with the new `long-lived` token. (Note: login flow does actually perform the login, it'll just redirect you and you can get the short-lived token) – Sahil Mittal Jul 30 '13 at 13:29
0

Try this:

$app_id = FB_APP_ID;
$app_secret = FB_SECRET_ID;
$canvas_URL = FB_PAGE_URL;
$code = $_REQUEST["code"];

if(empty($code)) {
  $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
  $dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" 
    . $app_id . "&redirect_uri=" . $canvas_URL . "&state="
    . $_SESSION['state'];

  echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$facebook->api('oauth/access_token', array(
    'client_id'     => FB_APP_ID,
    'client_secret' => FB_SECRET_ID,
    'type'          => 'client_cred',
    'code'          => $code,
));
$token = $facebook->getAccessToken();
echo$token;
}
Rahul Mangal
  • 475
  • 8
  • 22
0

public function getExtendedAccessToken($access_token) { 

    $token_url="https://graph.facebook.com/oauth/access_token";
    $params=array('client_id'=>self :: appId,'client_secret'=>self :: appSecretId,'grant_type'=>'fb_exchange_token','fb_exchange_token'=>$access_token);

      $response = $this->curl($token_url,$params);                  
      $response = explode ('=',$response);
      $response = explode ('&',$response[1]);
      $response = $response[0];       
      return $response;

}
Jensi Royi
  • 1
  • 1
    Please add an explanation along with the code, so that it can help others. – The_Outsider Jul 19 '17 at 15:01
  • per the FB documentation, fb_exchange_token will only exchange short-lived client tokens to server-side long-lived tokens. Are you sure that this will also refresh/extend long-lived tokens? – atyachin May 02 '19 at 15:57