blocks|key|1270562|text|请注意，Facebook现在放弃了offline_access权限，转而支持令牌，您可以为其请求“升级”到过期。我自己现在正在处理这个问题，所以我没有更多要说的，但这篇文档可能会有所帮助：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270563|https://developers.facebook.com/docs/offline-access-deprecation/|offset|length|1270564|entityMap|0|LINK|mutability|MUTABLE|url^0|0|0|1S|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@$D|O|E|P|1|Q]]|A|$]]|$1|F|3|-4|5|6|7|R|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|C]]]]

Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:

<a href="https://developers.facebook.com/docs/offline-access-deprecation/" rel="noreferrer">https://developers.facebook.com/docs/offline-access-deprecation/</a>

blocks|key|1270486|text|我带着与OP相同的问题来到这里，但是建议使用offline_access的答案对我来说是危险的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270487|在安全方面，离线访问用户的Facebook帐户在性质上是不同的，而且比仅仅使用Facebook进行单点登录要强大得多，不应该轻率地使用(除非您真的需要它)。当用户授予此权限时，“应用程序”可以随时随地检查用户的帐户。我将“应用程序”放在引号中，因为它实际上是任何具有凭据的工具--您可以编写一整套与web服务器无关的工具，这些工具可以访问用户同意共享给这些凭据的任何信息。|1270488|我不会使用这个特性来解决令牌生命周期较短的问题；这不是它的预期目的。事实上，令牌生存期本身就是一个安全特性。我仍然在寻找有关这些令牌正确使用的详细信息(我可以持久化它们吗？我如何/应该如何保护它们？Facebook是否在主OAuth中嵌入了Facebook+2.0的“刷新令牌”？如果不是，它在哪里和/或我如何刷新？)，但我非常确定offline_access不是正确的方式。|1270489|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.

Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.

I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.

blocks|key|1055411|text|是的，它们确实过期了。有一个‘expire’值和'access_token‘一起传递，据我所知大约需要2个小时。我一直在寻找，但我没有找到一种方法来请求更长的过期时间。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1055412|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.

blocks|key|1270423|text|因为我也有同样的问题--请看ben+biddington关于这个话题的一篇很棒的文章，他用错误的令牌和正确的请求类型澄清了所有这些问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270424|http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/|offset|length|1270425|entityMap|0|LINK|mutability|MUTABLE|url^0|0|0|2F|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@$D|O|E|P|1|Q]]|A|$]]|$1|F|3|-4|5|6|7|R|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|C]]]]

since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.

<a href="http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/" rel="nofollow noreferrer">http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/</a>

blocks|key|1055780|text|点击此按钮，将短存留访问令牌交换为长存留/非过期(页面)访问令牌：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1055781|https://graph.facebook.com/oauth/access_token?+++++++++++++
++++client_id=APP_ID&
++++client_secret=APP_SECRET&
++++grant_type=fb_exchange_token&
++++fb_exchange_token=EXISTING_ACCESS_TOKEN+|code-block|syntax|javascript|1055782|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

Hit this to exchange a short living access token for a long living/non expiring(pages) one:

<pre><code>https://graph.facebook.com/oauth/access_token? 
 client_id=APP_ID&amp;
 client_secret=APP_SECRET&amp;
 grant_type=fb_exchange_token&amp;
 fb_exchange_token=EXISTING_ACCESS_TOKEN 
</code></pre>

blocks|key|1270357|text|登录facebook帐户并编辑您的应用程序设置(帐户->应用程序设置使用您的帐户的应用程序的->additional权限)。取消选中权限(在我不使用应用程序时访问我的数据(Offline_access))。然后，当你登录到应用程序时，face会发出一个新的令牌。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270358|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.

blocks|key|1270636|text|基本facebook令牌大约在一个小时后过期。但是您可以使用'exchange‘令牌来获得一个长期的令牌https://developers.facebook.com/docs/facebook-login/access-tokens|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1270637|GET+/oauth/access_token?++
++++grant_type=fb_exchange_token&+++++++++++
++++client_id={app-id}&
++++client_secret={app-secret}&
++++fb_exchange_token={short-lived-token}+|code-block|syntax|javascript|1270638|entityMap|0|LINK|mutability|MUTABLE|url|https://developers.facebook.com/docs/facebook-login/access-tokens^0|1G|1T|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@$A|R|B|S|1|T]]|C|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|C|$G|H]]|$1|I|3|-4|5|6|7|V|8|@]|9|@]|C|$]]]|J|$K|$5|L|M|N|C|$O|P]]]]

Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
<a href="https://developers.facebook.com/docs/facebook-login/access-tokens" rel="nofollow">https://developers.facebook.com/docs/facebook-login/access-tokens</a>

<pre><code>GET /oauth/access_token? 
 grant_type=fb_exchange_token&amp; 
 client_id={app-id}&amp;
 client_secret={app-secret}&amp;
 fb_exchange_token={short-lived-token} 
</code></pre>

blocks|key|1270723|text|这是几年后的事了，但Facebook+Graph+API+Explorer现在在访问令牌旁边有一个小信息符号，允许您访问访问令牌工具应用程序，并将API令牌扩展几个月。在开发过程中可能会有所帮助。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270724|​|1270725|📷|atomic|offset|length|1270726|1270727|entityMap|0|IMAGE|mutability|IMMUTABLE|imageUrl|https://ask.qcloudimg.com/http-save/yehe-900000/4cd46dc5eb3a8cc344807cf9c9d58b01.png|imageAlt^0|0|0|0|1|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@$G|V|H|W|1|X]]|A|$]]|$1|I|3|C|5|6|7|Y|8|@]|9|@]|A|$]]|$1|J|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|K|$L|$5|M|N|O|A|$P|Q|R|-4]]]]

This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.

<a href="https://i.stack.imgur.com/AX259.png" rel="nofollow noreferrer"><img src="https://i.stack.imgur.com/AX259.png" alt="enter image description here"></a>

blocks|key|1270295|text|在与facebook图形api交互时，请检查以下内容。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270296|1)应用程序连接URL应该是您的"+redirect_uri“连接URL的基础：-+www.x-minds.org/fb/+connect+/+redirect_uri+-+www.x-minds.org/fb/+connect+/redirect+2)在这两种情况下，您的"redirect_uri”应该是相同的(当您请求验证码和请求access_token时)redirect_uri-+www.x-minds.org/fb/connect/redirect+3)您应该在请求access_token时对参数进行编码4)不应该在请求access_token时传递参数(type=client_cred)。授权服务器将发出不带会话部分的令牌。我们不能在图形api中使用别名为"me“的令牌。此令牌的长度为(40)，但具有会话部分的令牌的长度为(81)。没有会话部分的访问令牌在某些情况下可以工作|1270297|例如：-https://graph.facebook.com/?access_token=116122545078207%7CEyWJJYqrdgQgV1bfueck320z7MM.但是带有"me“别名的Graph+API只能与带有会话部分的token一起工作。|offset|length|1270298|entityMap|0|LINK|mutability|MUTABLE|url|https://graph.facebook.com/^0|0|0|4|R|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@$F|S|G|T|1|U]]|A|$]]|$1|H|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]]]

check the following things when you interact with facebook graph api.

1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases

eg: -<a href="https://graph.facebook.com/" rel="nofollow noreferrer">https://graph.facebook.com/</a>?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.

blocks|key|1270509|text|我不知道令牌到底什么时候过期，但它们确实过期了，否则就不会有离线权限的选项。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1270510|无论如何，有时要求用户提供脱机权限是一种过分的杀伤力。根据您的需要，只要网站在用户的浏览器中打开，令牌就保持有效就足够了。为此，可能有一个更简单的解决方案-使用iframe：facebook+auto+re-login+from+cookie+php定期重新登录用户|offset|length|1270511|对我来说很有效。|1270512|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/6119300/facebook-auto-re-login-from-cookie-php^0|0|2F|12|0|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@$D|R|E|S|1|T]]|A|$]]|$1|F|3|G|5|6|7|U|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]]]

I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.

Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: <a href="https://stackoverflow.com/questions/6119300/facebook-auto-re-login-from-cookie-php">facebook auto re-login from cookie php</a>

Worked for me...

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?

Do Facebook Oauth 2.0 Access Tokens Expire?

我正在使用Facebook的Oauth 2.0授权，我想知道Facebook分发的访问令牌是否会过期。如果是这样的话，有没有办法请求长期访问令牌？

问Facebook Oauth 2.0访问令牌过期了吗？
EN

回答 10

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Facebook Oauth 2.0访问令牌过期了吗？EN

回答 10

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Facebook Oauth 2.0访问令牌过期了吗？
EN