Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Support for new Facebook endpoint to extend access token lifetime #42

wants to merge 1 commit into from

3 participants


See pull request comments in spring-social

@JohnWPhillips JohnWPhillips Facebook implementation of OAuth2Operations API method extendAccess(.…
….) to request long-lived access token given a short-lived one

From everything I read as well as EXTENSIVE experimentation, the endpoint called here is intended for client-side use only. (Which brings its own questions, such as why would the client ever know the client secret?)

My understanding is that server-side apps will be granted a long-lived token (60-days?) initially. Any attempts to use the above endpoint on that token will not fail, but also will do nothing to lengthen the life of the token; my experimentation seems to confirm this. The only way to get a fresher token is to go through the authorization process again. This is essentially no different than before, except that before you had the option of asking for a non-expiring token and now you get a 60-day token initially.

But, I'll acknowledge that I may be missing something. If you have evidence that you can refresh a server-side token via that endpoint, I'd love to see your notes on it, because so far I've been unsuccessful at anything other than Facebook giving me back the same token with the same expiration. (Which is somewhat consistent with what their documentation states; although their documentation is also somewhat ambiguous.)


First you get short-lived token which expires after 1 hour, use this to get long-lived token which expires after 60 days. In Facebook graph API documentation, it says when you use long-lived token by accessing graph API it will be extended to 60 days again. So basically long-lived token will expire after 60 days of inactivity.

But my long-lived token is extended to unlimited after 1st use, don't know if its bug or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 11, 2012
  1. @JohnWPhillips

    Facebook implementation of OAuth2Operations API method extendAccess(.…

    JohnWPhillips authored
    ….) to request long-lived access token given a short-lived one
This page is out of date. Refresh to see the latest.
17 ...ook/src/main/java/org/springframework/social/facebook/connect/
@@ -23,6 +23,7 @@
+import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestTemplate;
@@ -39,6 +40,22 @@ public FacebookOAuth2Template(String clientId, String clientSecret) {
+ public AccessGrant extendAccess(String refreshToken, String scope, MultiValueMap<String, String> additionalParameters) {
+ MultiValueMap<String, String> params = new LinkedMultiValueMap<String, String>();
+ params.set("client_id", clientId);
+ params.set("client_secret", clientSecret);
+ params.set("fb_exchange_token", refreshToken);
+ if (scope != null) {
+ params.set("scope", scope);
+ }
+ params.set("grant_type", "fb_exchange_token");
+ if (additionalParameters != null) {
+ params.putAll(additionalParameters);
+ }
+ return postForAccessGrant(accessTokenUrl, params);
+ }
+ @Override
protected RestTemplate createRestTemplate() {
RestTemplate restTemplate = new RestTemplate(ClientHttpRequestFactorySelector.getRequestFactory());
FormHttpMessageConverter messageConverter = new FormHttpMessageConverter() {
Something went wrong with that request. Please try again.