When adding Facebook integration to a web app, how do you handle OAuth token expiration and what user data should be saved?

StackOverflow https://stackoverflow.com/questions/4798992

  •  24-10-2019
  •  | 
  •  

Question

I'm planning out adding Facebook integration to a web app I'm working on. For the most part, it's proceeding smoothly, but I am confused on the proper way to handle the OAuth token.

The sequence of events presented by Facebook here is:

  1. Ask the user to authorize your application, which sends them to a Facebook window.
  2. This will return an Authorization Code generated by Facebook
  3. You then hit https://graph.facebook.com/oauth/access_token with your Authorization Code, which will give you a time-limited OAuth token.
  4. Using the OAuth token, you can make requests to access the user's Facebook profile.

Facebook's documentation has the following to say about token expiration:

In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.

When they say to re-run the steps above, what steps need to be re-run to get a new OAuth token? What data (Facebook UID, Authorization Code, OAuth token) does it make sense to save to my local database?

I would like to be able to have the user continue to interact with my site, and in response to certain user actions, I would like to be able to prompt to user if they want to post something to their Facebook wall.

Was it helpful?

Solution

The access token is time and session based and is unnecessary data to store and have no use after the user have closed the session. The facebook uid is the only thing you need to identify the user. Since the Facebook API sometimes is horrible slow you could store the username aswell.

But for identification, all you need is the uid.

OTHER TIPS

The documentation that facebook provides has been updated since you asked this question. https://developers.facebook.com/docs/authentication/.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top