Is it possible to invalidate a facebook access token?
I need to do this due to the recent deprecation of offline_access.
The problem is that the token cannot be extended beyond 60 days. Even if the user returns to the app (unless I am misunderstanding?)
So, what I want to do is invalidate the token, then immediately log the user back in so that I can get a new access token back, with a new 60 day expiry date. As long as the user comes by once every two months, everything should be OK.
I do not want to log the user out of Facebook so FB.logout is not usable.
Is that possible?
You can send a DELETE request to /me/permissions which should (I think) invalidate the session for the user.
However, I don't really see why you want to do that.
You can just use the server side authentication which ends up with a 60 days token regardless of what token you had before.
So, every time you want 60 more days just authenticate the user using the server side process.
I would seriously consider avoiding the Facebook Javascript SDK like the plague as it is asynchronous which in reality means Facebook is secure but your website is not.
I've just begun to rebuild my login flow and I am wondering if this part of my code may come in handy for managing user tokens:
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
$fb_error = $e->getResult();
error_log($e);
$user = null;
}
}
//https://developers.facebook.com/docs/reference/api/errors/
switch ($fb_error['error']['error_subcode']) {
case '458':
//Returned on app trying something or user attempting an action after app deauth
//Can do database cleannup operations from this
$fb_error = '458 - User removed the app from user settings';
break;
case '460':
//App is no longer reauthorized and the user is trying something ?
//Stop user from all activities if this comes up as they may deauth then try perform an action
$fb_error = '460 - User needs to reauthorize';
break;
case '463':
//Expired Token
//This is where we autolog the user back in
$fb_error = '463 - Token has expired and a new one needs to be requested';
//need to somehow get the login request code from another page to hide it
//or use htaccess tricks
$facebook->getAccessToken();
break;
case '467':
//Invalid Token
//This is where we autolog the user back in
$fb_error = '467 - Token is invalid and a new one needs to be requested';
break;
}
You could output the errors to the page for testing:
echo 'Error Subcode: '.$fb_error.'<br/>';
echo 'Facebook Error Dump:<br/>';
var_dump($e);
Note that PHP switch works like a single if statement with multiple answers (case).
I would recommend for code speed optimization reordering the switch to have the most common errors listed at the top of the switch as the way PHP switch works is to run down the list until it finds a case match to the error code.
According to the Facebook documentation, you don't need to do anything complicated.
In the user login process, retrieve a short-lived access token and exchange it for a long-lived access token, which is valid for 60 days.
If a user logs out and logs in several times during the day, he will receive the same access token (probably) but expiration time won't update. But after at least one day pass you will receive a new long lived access token with new expiration time.
The only possible issue is scenario in which user is constantly logged in for more than two months (more than 60 days). For such scenarios (even that is barely possible) I code a little timeout function which will, when token expires, renew it in the background.
I refactor my code to retrieve and use long lived tokens yesterday afternoon, so it isn't passed enough time to tell for sure, but according to the mentioned Facebook documentation, it should be like that.
You do not need to invalidate the access token.
It will return you a new extended 60-day token if you use a new short-lived access token to exchange for it. That specific short-lived token is always given to you when the user uses the app again. Use the client-side auth flow (JS SDK) so you're sure you get the short-lived-token. Use the new endpoint for exachanging tokens.
For more info check the facebook doc.
