Search code examples
facebook-graph-apiaccess-token

Have offline_access tokens started expiring on logout?

I have a number of PHP scripts that pull data from my Facebook profile.

I had set these up with an Access Token that I took from the Graph Explorer.

https://developers.facebook.com/tools/explorer/

I ensured that when generating the tokens, I asked for the offline_access extended permission.

These scripts worked fine for months, but over the last few days, I notice that whenever I logout of Facebook, the token becomes invalidated, and I have to log back in each time and get a new one.

My understanding was the an offline_access token survives a logout, but not a password change.

Has something changed in this regard?

Solution

  • I've done some more research on this.

    FB are deprecating the offline_access permission. That means it will no longer be possible to obtain an access token that gives your app open-ended permission to query a user's data.

    Instead, your app will have to test the validity of any existing token, and it that token has expired, you will be able to swap it for a new one. Previously, if you had an expired token, you had to send your user through the auth process again to get a new one, so this is actually a positive development.

    See: https://developers.facebook.com/docs/offline-access-deprecation/

    In my own particular example, where I was using a token obtained from the Graph Explorer in a PHP script that queried the Graph with cURL (ie independently of a user session on FB), I can't however do this.

    The Graph Explorer is an app in its own right, and it seems that in the last few days it has switched on the deprecate_offline_access migration in its settings, which means existing offline_access tokens obtained via Graph Explorer will now expire on logout.

    Also, I can't issue a request in my script to swap the token, as this requires the APP SECRET for the Graph Explorer app, which I don't have.

    Therefore, existing offline_access tokens obtained as part of the standard auth process should continue to work, but offline_access tokens obtained via the Graph Explorer will not.

    This effectively means that it is no longer possible to script interaction with the Graph where Extended Permissions are required. All such interaction will now have to occur within a user session.

    I can see the logic in this, but its a bit of a spanner in the works for cron jobs etc.