[Openid-specs-ab] Facebook changes offline access
nov at matake.jp
Thu Jan 26 14:27:04 UTC 2012
My understanding is
In implicit flow
* default expiry is short (same with current spec)
* within several minutes the token established, its expiry can be extended using client authentication and "fb_exchange_token" grant type.
In code flow
* default expiry is longer (60 days)
* same token can be returned if expiry doesn't change from the previous token
I assume they want to require client authentication even for developers using FB JS SDK (= implicit flow).
They are saying as below in "Server-side OAuth Developers" section.
The user must access your application before you're able to get a valid "authorization code" to be able to make the server-side oAuth call again.
Apps will not be able to setup a background/cron job that tries to automatically extend the expiration time, because the "authorization code" is short-lived and will have expired.
On 2012/01/26, at 22:41, John Bradley wrote:
> It looks like they are creating a new endpoint for extending access tokens rather than using refresh tokens.
> My read of it is that developers )will now get offline access without asking. They just need to refresh the access token every 60 days.
> The documentation is typical of Facebook so the actual operation may be different.
> Using the 'code token' return type with a refresh token would have been OAuth 2.0 compliant.
> I expect the media will jump on the privacy issue.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab