Search code examples
facebookaccess-tokenextending

Extending Facebook server-side access tokens gracefully

I have an application that used to use offline_access, which obviously needs changing since that's going away.

We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.

From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.

Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?

Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?

Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.

Solution

  • Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.