Converting Facebook session keys to access tokens

Question

I have a web app that allows users to connect Facebook account with their account on my site. When the user decides to connect with Facebook, the app requests publish_stream and offline_access permissions, and then stores the Facebook uid and session_key for each user. All this works fine right now.

My problem is migrating to Facebook's new OAuth 2.0 system. I'd like to transform the session keys I have into access tokens. I followed these instructions and everything seemed to work fine; Facebook returned a bunch of access tokens. However, none of them work. When I try to go to a URL such https://graph.facebook.com/me?access_token=TOKEN-HERE, I get an error that says "Error validating client".

What am I doing wrong?

Also, I'm under the impression that access tokens work just like session keys in that once I have one, I can use it forever (since I request offline_access permissions). Is that correct?

Update:

Below are the exact steps I took to convert a session key into an access token, along with the output I got. Hopefully that will help bring my problem to light.

Step 1: Convert Session Key to Access Token

Code:

$session_key = '87ebbedf29cc2000a28603e8-100000652996522';
$app = sfConfig::get('app_facebook_prod_api'); // I happen to use Symfony. This gets an array with my Facebook app ID and secret.
$post = array(
  'type' => 'client_cred',
  'client_id' => $app['app_id'],
  'client_secret' => $app['secret'],
  'sessions' => $session_key
);

$options = array(
  CURLOPT_POST => 1,
  CURLOPT_HEADER => 0,
  CURLOPT_URL => 'https://graph.facebook.com/oauth/exchange_sessions',
  CURLOPT_FRESH_CONNECT => 1,
  CURLOPT_RETURNTRANSFER => 1,
  CURLOPT_POSTFIELDS => http_build_query($post)
);

$ch = curl_init();
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
var_export(json_decode($result));

Output:

array (
  0 => 
  stdClass::__set_state(array(
     'access_token' => '251128963105|87ebbedf29cc2000a28603e8-100000652996522|Dy8CcJzEX8lYRrJE9Xk1EoW-BW0.',
  )),
)

Step 2: Test Access Token

Code:

$access_token = '251128963105|87ebbedf29cc2000a28603e8-100000652996522|Dy8CcJzEX8lYRrJE9Xk1EoW-BW0.';
$options = array(
  CURLOPT_HEADER => 0,
  CURLOPT_URL => 'https://graph.facebook.com/me?access_token=' . $access_token,
  CURLOPT_FRESH_CONNECT => 1,
  CURLOPT_RETURNTRANSFER => 1,
);

$ch = curl_init();
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
var_export(json_decode($result));

Output:

stdClass::__set_state(array(
   'error' => 
  stdClass::__set_state(array(
     'type' => 'OAuthException',
     'message' => 'Error validating client.',
  )),
))

Answer 1

The Platform Upgrade Guide has a section about OAuth 2.0 which includes the instructions for exchanging a session_key for an access_token. You should use this if you already have stored session keys.

For new users, you should use one of the new SDKs or the OAuth2 flow directly which will give you an access token to begin with.

Answer 2

From reading your post here is my understanding -

You are tranforming session keys into access keys for each user in your system and storing these keys.

You then test the key using your own page. (Graph.facebook.com/me etc...)

If this is the case

A) You cannot use another users key with your own key. Going to graph.facebook.com would only be valid for the user that the key belongs to and if they were logged in. So for example, if you have my access key you could visit http://graph.facebook.com/YOURID....) but for graph.facebook.com/me to work you would have to be logged in as me.

B) These keys expire every 3 hours (Or there abouts) so it may no longer be valid.