6

According to the Facebook docs, mobile SDKs generate long lived tokens which are refreshed once per day when the person using your app makes a request to the Facebook servers. For the javascript SDK, short-lived tokens are generated and are refreshed periodically.

I'm curious as to what is meant by "the person using your app makes a request to the Facebook servers". Which calls specifically will cause the token to be refreshed? Or more importantly, which calls won't? Is it enough to check the login status or is something more active required? What I'm really interested in is keeping the token alive (or getting a new one) without sending the user back through the login flow, or doing anything that's particularly active with Facebooks APIs.

Thanks!

Jordan
  • 1,599
  • 4
  • 26
  • 42
  • Normally the SDKs should handle that for you, so that you don’t need to worry about it – as long as the user is “active” within your app (not leaving it idle for hours), you should not need to do anything about this specifically. Or do you have a certain use case that has proven otherwise? – CBroe May 08 '15 at 22:03
  • @CBroe My server will be handling most of the calls to facebook's apis. I'm just concerned about bothering users to with auth flows in order for the server to keep doing what it's doing. Is that something that is a necessity? – Jordan May 09 '15 at 00:40
  • Well then extending the access tokens is probably your best bet. – CBroe May 09 '15 at 01:25
  • @CBroe Will checking login status from the javascript SDK extend the access token? – Jordan May 12 '15 at 00:43
  • `FB.getLoginStatus` caches results, but can be forced to make a roundtrip to Facebook’s servers via the second parameter. (For performance reasons, use in moderation.) – CBroe May 12 '15 at 05:31

2 Answers2

8

According to Facebook SDK Docu

Once a token expires ("auto" extend of Facebook SDK Token)

At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token

THERE IS no keep alive functionality in Facebook SDK.

User access tokens come in two forms: short-lived tokens and long-lived tokens. Short-lived tokens usually have a lifetime of about an hour or two, while long-lived tokens usually have a lifetime of about 60 days. You should not depend on these lifetimes remaining the same - the lifetime may change without warning or expire early. See more under handling errors.

long-lived = 60 days

Short-lived = 2 hour

Also according to Facebook SDK Docu

Mobile apps that use Facebook's mobile SDKs get long-lived tokens.

Once you force a user for a new oAuth/login, he will receive a new token. The old one will not expire. You are able to check the loginStatusby FB.getLoginStatus. No need for a keep alive.

Community
  • 1
  • 1
lin
  • 17,956
  • 4
  • 59
  • 83
  • I read the docs. I want to know how the tokens are refreshed by the sdks. – Jordan May 08 '15 at 16:09
  • 1
    Did you voted me down? Please explain why. There is no "keep alive" in Facebook SDK. I promise "refresh" in your case is a "keep alive".. ? – lin May 08 '15 at 16:09
  • 1
    https://developers.facebook.com/docs/facebook-login/access-tokens#extending -> Tokens are extended automatically by the sdks. Is this not true? What triggers this? Will asking for the login status do it? – Jordan May 08 '15 at 16:13
  • 1
    I voted you down because your answer repeated the beginning of my question where I stated what I already knew from reading the docs. It didn't add any helpful information. – Jordan May 08 '15 at 16:14
  • `At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token` – lin May 08 '15 at 16:17
  • I want to know if checking the login status will refresh the token (in all sdks) – Jordan May 08 '15 at 19:22
  • @lin So, if I receive a long lived token via the Facebook iOS sdk for a user, and save it on the server, and the user does not open the app for 60 days, the token will expire. If the user reopens the app, will the Facebook iOS sdk automatically reissue a new token without the login flow, and will the token I have saved on my server become valid again? – Josh Bernfeld Jan 23 '17 at 03:35
  • @Joran yes, this is true - It is triggered by facebook SDK servers due to datetime compare exactly 60 days for long-lived and 2 hour for short-lived since the token was created - No, there is still no keep alive functionality because there is no need for it. – lin Feb 13 '17 at 23:22
  • @thedeveloper3124 Thats what the SDK doc says: `note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back`. So, the user need to login again or ff they are still loged in into facebook a immediately redirect to your application will be triggered. In this moment a new token has been created. – lin Feb 13 '17 at 23:24
2

The SDK will refresh the access token for you when an actual graph request is made (up to once a day). Any time the token is updated, the AccessTokenTracker will be notified, so you can register a tracker if you want to be notified of updates (e.g. for sending to the server).

If you only make graph requests from your server, then you'll need to handle expiration from there, and either try to extend, or prompt your user to do SSO again to get an updated token.

Ming Li
  • 15,672
  • 3
  • 37
  • 35