Search code examples
facebookfacebook-graph-api-v2.0spring-social-facebook

Facebook Graph API rejects newly created access token

Earlier today, the Facebook login flow of our web application stopped working for some users. When we try to fetch the current profile, an error is returned. It claims that the access token we just generated by redirecting the user to the OAuth login flow has been rejected.

The reason given is:

The access token is invalid since the user hasn't engaged the app in longer than 90 days

To me, this makes no sense since we do not store the access token anywhere except for the current session and recreate it every time the user logs in with Facebook.

The stacktrace from Spring Social for the GET /me call looks like this:

ERR c.s.f.v.resource.AuthenticationResource Exception when connecting with Facebook
org.springframework.social.RevokedAuthorizationException: The authorization has been revoked. Reason: The access token is invalid since the user hasn't engaged the app in longer than 90 days.
        at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleFacebookError(FacebookErrorHandler.java:85)
        at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleError(FacebookErrorHandler.java:59)
        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:775)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:728)
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:702)
        at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:350)
        at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:220)
        at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:215)

The issue is probably related to changes in the Facebook API, but I do not see how this affects the short lived access tokens we create on every login.

Solution

  • Update:

    The issue seems to have just been fixed by Facebook.

    I filed a bug with Facebook and they are currently (5/3/18) working on a resolution.

    There are several workarounds suggested here and in the bug comments. To summarize:

    1. Add a new permission that you previously didn't ask for to force re-authorization
    2. Catch the error and re-authorize the user manually via auth_type=reauthorize
    3. Switch to JS SDK and use client-side login

    I'm going for solution #2 as it seems to be the most straight-forward way.