We have a product that allows people to schedule posts to Facebook. We have relied upon the offline access permission, which is scheduled to be removed on Dec 5th.
We think that we have implemented the correct 60 day session-extending logic, but are having difficulty testing.
We created a new test Facebook app and enabled the "December 2012 Breaking Changes" migration setting. A new user authorizes the new application (and we still request the offline_access permission). We then extend the session, which returns the same session token without an expires parameter. When we use the Access Token Debugger, it says that the tokens never expire.
We tried doing the authorization without passing the offline_access permission, but could never get an expiration beyond 5760 (4 hours), making it seem necessary to still pass.
We very much want to test the breaking change, but we cannot create the scenario in which sessions expire and must be continually extended. How can we test this?
The solution is that there is a second migration setting "Remove offline_access permission" that must also be enabled. Only when enabled with the "December 2012 Breaking Changes" migration setting will your application be able to obtain 60-day session tokens.
This has the unfortunate side effect of transforming existing never-expiring session tokens immediately into 60-day expiring tokens. Facebook said they would continue to honor existing never-expiring tokens, but given that both settings must be enabled, your application is forced to treat all users as having 60-day tokens.