How can I force a facebook access token to expire?

Multi tool use
Multi tool useThe name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


How can I force a facebook access token to expire?



I'm doing some testing in the wake of offline_access's expiration. I think that since all interactions my app makes with Facebook are done via my servers and are user initiated by user activity at several application end points (phone apps, website, desktop application) I can use an Application Access Token to publish to the wall on behalf of my users, assuming the application is still authorized even if the access token I requested during authorization is expired. That seems to be what the documentation here is implying with



Authenticating as an App allows you to obtain an access token which allows you to make request to the Facebook API on behalf of an App rather than a User. [...] App access tokens can also be used to publish content to Facebook on behalf of a user who has granted a publishing permission to your application.



App Access Tokens generally do not expire. Once generated, they are valid indefinitely.



However, I need to test this. So I need to expire some tokens. I tried using official test users which you create in the developer site, that can only interact with your app's sandbox and other users in it, but their tokens seem to be perpetually valid for one hour.



So I tried using a real facebook user that I created for this, and changing the password which I'd read is supposed to expire the token. But it doesn't. The token still reports valid in the debugger and I can still use it for many things, including publishing to my wall. I can even continue to use this token after logging out of the facebook site completely.



What gives? How can I get an expired access_token so that I can test my Application Access Token?



Edit: I think it's going to work. I created my application access token and used the CLIENT-SIDE flow to get an user access token that only lasted 2 hours, so I could actually just wait for it to expire. After the expiration I used the Graph API explorer to try to post a status update, which failed telling me when my token had expired. I then tried the same action using my application token which succeeded.





Try removing the app in the user settings and reinstalling it. You should get a new token
– phwd
May 29 '12 at 21:56





Would the old token then behave as expired, deauthorized, or invalid? A new token would just act exactly the same, wouldn't it? It'd be good for 60 days and probably wouldn't expire when I changed password either?
– Sloloem
May 29 '12 at 22:27





@phwd apparently doing that makes the old token return as "Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons." The app token does work, but I don't know if it's because there's a valid user token or if it's the fact the user authorized the app at all.
– Sloloem
May 29 '12 at 23:08




8 Answers
8



This should work, check below.



Invalidating (aka logout) your token; make HTTP GET call to that endpoint;


https://api.facebook.com/restserver.php?method=auth.expireSession&format=json&access_token=<access_token>



p.s. my answer is from 2012... Since then, Facebook API has evolved with many major changes. It is more reliable to read the up2date Facebook developer doc





Why suggest using REST API methods? It clearly says there Please note: We are in the process of deprecating the REST API. We recommend using OAuth 2.0 moving forward. We will not be supporting this method in the Graph API.
– Nitzan Tomer
May 30 '12 at 5:50


Please note: We are in the process of deprecating the REST API. We recommend using OAuth 2.0 moving forward. We will not be supporting this method in the Graph API.





agreed! but only this interface works for that purpose so far. plz contribute if you know of any other alternatives
– guleryuz
May 30 '12 at 5:56





down-voting without providing an alternative solution is not constructive approach though...
– guleryuz
May 30 '12 at 5:57





I have presented an alternative, it's in my answer to the question.
– Nitzan Tomer
May 30 '12 at 5:59





This method appears to no longer work. Hitting that URL I get the following response: {"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"method","value":"auth.expireSession"},{"key":"format","value":"json"},{"key":"access_token","value":"<myaccesstoken>"}]}
– nc.
Jun 27 '13 at 12:19




{"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"method","value":"auth.expireSession"},{"key":"format","value":"json"},{"key":"access_token","value":"<myaccesstoken>"}]}



But it says right there in the documentation, just after the last line you quoted:



App Access Tokens generally do not expire. Once generated, they are
valid indefinitely. However, if you need to invalidate your App
Access Token for some reason, you can reset your App Secret in your
app's settings. Once your App Secret has been reset, you will need to
go through the steps below to generate a new app access token.



So for your testing purposes reset the app secret key.



Edit



Oh, I completely misunderstood you.
It's easier to invalidate a user token, you just use the me/permissions connection with a DELETE request.



That will remove the app for the logged in user.
You can try that from the explorer tool, just select DELETE on the select box left to the path field.





Facebook's terminology make it really difficult to be clear. What I have is an App access token that I get using the app ID and app secret, and according to documentation never expires. I also have a user access token I get on a per user basis by calling OAuth dialogs, which expires in 60 days. What I'm looking to do is expire that 2nd token so I can find out is if I can use my application token to perform user actions after the OAuth access token has expired, so that I don't need to continually re-authorize users.
– Sloloem
May 29 '12 at 22:52





Oh. I edited my answer
– Nitzan Tomer
May 30 '12 at 5:49





I need to get as close to a "61 days later" state with an expired token, not a deauthorized app. Neither token would work in that situation, so it's not really useful for testing. I managed to do some testing using short lived OAuth tokens generated using the javascript SDK, since they only last 1-2 hours. I'm hoping they'll act the same as the 60 day long tokens using the server-side flow.
– Sloloem
May 30 '12 at 17:47







If you just want to simulate the case when your token times out, then just make a request with a dummy token instead of the right one, or just don't include a token in the request to begin with. You'll get an exception from facebook, just a different once then token expired, but what's difference in this case? You can program it to happen "randomly" so that you can get the "full experience".
– Nitzan Tomer
May 30 '12 at 17:56







@iluvatar_GR pointed out to me that Facebook changed their token expiration rules: "All access tokens need to be renewed every 90 days with the consent of the person using your app. "
– Nitzan Tomer
Apr 12 at 8:53





Like @guleryuz response, but in pratical way:



Given a valid access_token ${token}:


${token}


$ curl -X GET "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"data":[{"permission":"user_friends","status":"granted"},{"permission":"email","status":"granted"},{"permission":"manage_pages","status":"granted"},{"permission":"business_management","status":"granted"},{"permission":"pages_messaging","status":"granted"},{"permission":"pages_messaging_phone_number","status":"granted"},{"permission":"public_profile","status":"granted"}]}



Do revoke request:


$ curl -X DELETE "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"success":true}



Verify revoke:


$ curl -X GET "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"error":{"message":"Error validating access token: The session was invalidated explicitly using an API call.","type":"OAuthException","code":190,"error_subcode":466,"fbtrace_id":"E2UhrNzyyzZ"}}



The answers posted here are outdated. To force your token to expire: log in to your facebook account, go to "Settings", then click "Apps" on the left hand side



Settings selection



Remove the app:



enter image description here



That will force the token to expire.





I don't doubt there's out-dated information here, but you've just posted the graphical version of doing what Nitzan already suggested, which is revoke all the app's permissions. You used to be able to ask for "offline_access" User Access Tokens that never expired, but that was removed. Apps needing offline_access either had to find alternate means, or re-prompt their users every 60 days to refresh the token...which we couldn't do, so the alternate means was the App Access Token. I just needed a way to confirm that that token would still work after the other expired without waiting 61 days.
– Sloloem
Jan 20 '16 at 20:16







I don't know HTTP that well so I didn't understand Nitzan's solution and I wasn't sure what I'm doing on the developer link. I think this is a good alternative that's clearer to me. Being a visual kind of guy, I think this solution helps.
– OfLettersAndNumbers
Jan 20 '16 at 20:31





Fair enough. It's definitely easier most of the time to revoke permissions through the UI than the API if you're just doing it once. But I did want to comment for posterity and point out the similarity.
– Sloloem
Jan 20 '16 at 20:54



For view permissions


https://graph.facebook.com/v2.7/{userID}/permissions?access_token={acessToken}



For delete permissions add "method=delete" before &access_token=


"method=delete"


&access_token=


https://graph.facebook.com/v2.7/{userID}/permissions?method=delete&access_token={acessToken}



you can try replicating the behavior by changing your facebook password





This is the answer at the start of 2018. The existing access token is invalidated but your app still remains authorized in Facebook. You can check the status of your token at... developers.facebook.com/tools/debug/accesstoken
– chichilatte
Jan 11 at 15:51



Another possible solution is to use a test account with a customized expiration time:



enter image description here



enter image description here



https://www.facebook.com/connect/login_success.html#access_token="access_token" &expires_in=1.minutes
Here in the place of "access_token" enter your access token without quotes and the access token will expire in 1 minute.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

QAJLh9TWm fSqE6miDasQIUaVsrjR1SJDeUv8TcHjiZYpi5N RtZ,SmtxOsU,E
-
n 811uXJ23EinHjFw4CJHR0xits9xesjr4xlV40fWG

Popular posts from this blog

Makefile test if variable is not empty

Makefile test if variable is not empty In a makefile I'm trying to I've created this simplified makefile to demonstrate my problem. Neither make a or make b executes the body of the if, I don't understand why not. make a make b .PHONY: a b a: $(eval MY_VAR = $(shell echo whatever)) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should be executed" endif @echo done b: $(eval MY_VAR = $(shell echo '')) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should not be executed" endif @echo done I'm using $ make --version GNU Make 3.81 There are several problems, and misunderstandings. Your MY_VAR is a make variable, set it without a <tab> to its value, and no need to $(eval ...) . MY_VAR:=$(shell echo whatever) is enough. No <tab> before $(info ...) neither, this is make – Zelnes ...
Read more

Visual Studio Code: How to configure includePath for better IntelliSense results

Image
Clash Royale CLAN TAG #URR8PPP Visual Studio Code: How to configure includePath for better IntelliSense results so I am a complete beginner to using Visual Studio Code and I have no clue what I am doing. I've searched around (maybe not enough), but I cant find just a simple explanation for someone like me on how to configure the c_cpp_properties.json file that I am redirected to whenever I click on the yellow lightbulb next to a line that is underlined with a green squiggle. Lightbulb example c_cpp_properties.json I just want to know what to put in the .json to make IntelliSense work properly This question has answers that may be good or bad; the system has marked it active so that they can be reviewed. 2 Answers 2 From: https://code.visualstudio.com/docs/languages/cpp Below you can see that the MinGW C++ include path has been added to browse.path for Windows: { "name": "Win32...
Read more

Will Oldham

Image
"Palace Music" redirects here. For the racehorse, see Palace Music (horse). Bonnie 'Prince' Billy Will Oldham, June 6, 2009 Background information Birth name William Oldham Also known as Palace Brothers Palace Music Bonnie 'Prince' Billy Born ( 1970-12-24 ) December 24, 1970 (age 47) Louisville, Kentucky, United States Genres Folk alternative country country freak folk [1] Years active 1993–present Labels Drag City, Domino, Spunk Associated acts Dawn McCarthy, The Cairo Gang, Mekons, Matt Sweeney, Mick Turner, Tortoise, Trembling Bells, Harem Scarem, The Picket Line, Alex Neilson, Björk, Slint Website www.bonnieprincebilly.com Will Oldham (born December 24, 1970), better known by the stage name Bonnie 'Prince' Billy , is an American singer-songwriter and actor. From 1993 to 1997, he performed and recorded under variations of the Palace name, including the Palace Brothers, Palace Songs, and Palace Music. After releasing material under his own name,...
Read more