Do Facebook Oauth 2.0 Access Tokens Expire?

Question

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?

Answer 1

Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.

Answer 2

After digging around a bit, i found this. It seems to be the answer:

offline_access: Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.

Its a permission value requested.

http://developers.facebook.com/docs/authentication/permissions

Answer 3

The access_token I receive from the /authorize call doesn't include an 'expires' flag... in fact, its the same access_token I've been getting for 24 hours now... And, if I try to use it, I get a QueryParseError saying "An active access token must be used to query information about the current user." Any one have any idea how to force a new access_token or refresh it?

Answer 4

I am getting this same problem as well when trying to get user events.

{ "error": { "type": "QueryParseException", "message": "An active access token must be used to query information about the current user." } }

Yet I know the access token is good since I can get the user UID and the picture after login in.

Any ideas?

Answer 5

@Alex - uid and profile pic are normally public, your logic sounds faulty there.

Answer 6

check the following things when you interact with facebook graph api.

1) Application connect URL should be the base of your "redirect_uri" connect URL:- www.x-minds.org/fb/connect/ redirect_uri - www.x-minds.org/fb/connect/redirect 2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token) redirect_uri - www.x-minds.org/fb/connect/redirect 3) you should encode the the argument when you request for an access_token 4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81). An access token without session part will work with some cases

eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM. But Graph API with "me" alias will work with only token with session part.

Answer 7

log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.

Answer 8

since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.

http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/

Answer 9

Hello , Try this may be it will help full for you

https://graph.facebook.com/oauth/authorize? client_id=127605460617602& scope=offline_access,read_stream,user_photos,user_videos,publish_stream& redirect_uri=http://www.example.com/

To get lifetime Access Token you have to use scope=offline_access Meaning of scope=offline_access is that :- Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.