I'm tweaking a site that has been using FB authentication and access tokens for awhile to deal with the deprecation of offline_access, and, in particular, doing the fb_exchange_token thing to get extended-duration tokens for the site's users. It seems to be working, but I've got some questions. My basic approach is:
I get the user logged in through the usual server-side back-and-forth procedure, finally giving me a valid access token for the user. This works fine, and appears to be valid for 5300 seconds or so, like the standard/original tokens.
I then immediately do the fb_exchange_token call; this succeeds and gives me a new access_token that's good for a couple of months. This is the token that my site saves away for future use when it does things on behalf of the user.
This makes sense, right? It seems a little redundant to make one call right after another, but it's getting me the extended-lifespan token, which is what I want. I suppose I could use the original token for as long as it lasts and not bother with the exchange until the original token expires, but (a) it seems like I might as well get and use the extended one from the start and (b) it's not clear to me that an expired token can be exchanged for a extended-duration token.
So: Does anyone see any problems with this approach? Thanks!
a) Yes, that approach works well. I do that with some of my apps.
b) Please see the 3rd item in this FAQ. http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html
Can I exchange my 60 day access token for a new 60 day access token?
No, sorry you cannot. You can only exchange a valid (meaning current) user access token for an extended one. You cannot extend an already extended access token.