croak 'expires is not returned' #5

Closed
brunnock opened this Issue May 10, 2014 · 8 comments

Projects

None yet

2 participants

@brunnock

I had to comment out this line in get_user_token_by_code (#207).

It seems Facebook is returning a valid token without an expiration for me.

@oklahomer
Owner

Thanks for adding an issue, @brunnock. I apologize for your inconvenience and I'll definitely look into this.

I thought expires was always given along with user access token, but I might be missing some spec. change.

Just to be sure could you give me some more details including following items?

  • Version of API/Dialog you are using
    • If you are not specifying one on Facebook::OpenGraph->new(), the version is "unversioned" and I must know if your Facebook app is registered prior to 2014-04-30 or not
  • How you obtained the code parameter
    • via the callback URI of Login Dialog
    • from cookie value via $fb->get_user_token_by_cookie
    • or signed_request parameter POSTed to your page for Facebook Page app

Thanks

@brunnock

Unversioned. The app was registered before 4-30, but was just approved last night (2014-5-9).

The code param is returned via URI.

@oklahomer
Owner

Thanks, @brunnock. As I understand Facebook Platform's versioning system, as long as you use unversioned API/Dialog with app registered before 2014-04-30, your app's version is default to v1.0.

For apps that existed before April 30th 2014, making an API call without specifying a version number ('unversioned') is equivalent to making a call to the v1.0 of the API.

For apps created on or after April 30th 2014, making an API call without a specifing a version number is equivalent to making a call to v2.0 of the API.

I looked up v1.0 document for /oauth/access_token endpoint and it states as follows:

The response you will receive from this endpoint, if successful, is

access_token={access-token}&expires={seconds-til-expiration}

If it is not successful, you'll receive an explanatory error message.

So if it works following this spec, expires must be returned.
Actually it makes no sense to me that they are returning time-limited access token, but no expiration time, right? If they are not returning expires parameter, I think this is Platform's issue and you might want to report a bug or ask developer group for similar situation.

I hope it helps you and let me know when you have any progress.

@oklahomer oklahomer added the invalid label May 11, 2014
@oklahomer
Owner

Quick question, @brunnock. Is your app requesting some permissions for Facebook Page management or Ads management, such as manage_pages?
I kinda found a clue for this.

@brunnock

Yes. It does request manage_pages.

@oklahomer
Owner

Thanks, I got the picture. I'll be working on this.

@oklahomer oklahomer added bug and removed invalid labels May 15, 2014
@oklahomer oklahomer self-assigned this May 15, 2014
@oklahomer oklahomer closed this in b068952 May 18, 2014
@oklahomer
Owner

I confirmed the edge cases that user access tokens become ones w/ no expiration time. They describe it is not an intended behaviour, but it occurs because of the side effect of how they link page access token to its owner's access token. https://developers.facebook.com/bugs/597779113651383/

Now, as of version 1.22, this module does not check the existence of expires parameter.

@brunnock

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment