[Openid-specs-ab] Facebook changes offline access

nov matake nov at matake.jp
Thu Jan 26 14:27:04 UTC 2012

My understanding is

In implicit flow
* default expiry is short (same with current spec)
* within several minutes the token established, its expiry can be extended using client authentication and "fb_exchange_token" grant type.

In code flow
* default expiry is longer (60 days)
* same token can be returned if expiry doesn't change from the previous token

I assume they want to require client authentication even for developers using FB JS SDK (= implicit flow).

They are saying as below in "Server-side OAuth Developers" section.

The user must access your application before you're able to get a valid "authorization code" to be able to make the server-side oAuth call again.
Apps will not be able to setup a background/cron job that tries to automatically extend the expiration time, because the "authorization code" is short-lived and will have expired.

On 2012/01/26, at 22:41, John Bradley wrote:

> https://developers.facebook.com/docs/offline-access-deprecation/
> It looks like they are creating a new endpoint for extending access tokens rather than using refresh tokens.
> My read of it is that developers )will now get offline access without asking.  They just need to refresh the access token every 60 days.  
> The documentation is typical of Facebook so the actual operation may be different. 
> Using the 'code token' return type with a refresh token would have been OAuth 2.0 compliant.
> I expect the media will jump on the privacy issue.
> John_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list