Fix your tokens now! Also: Plans for offline_access in future versions

Coordinator
Aug 26, 2012 at 6:41 AM

First: Please rebuild your saved/cached access tokens using Alpha 0.6.4 http://facebookpsmodule.codeplex.com/releases/view/93212) “New-FBConnection –ExtendToken”. Don’t delay, since offline_access removal (https://developers.facebook.com/roadmap/offline-access-removal/) seems to be kicking in a little earlier than expected.

As far as I can tell, user access tokens will always expire after 60 days maximum, but page access tokens will never expire. I won’t really know until 60 days from now (at the earliest). One difficulty with the token-extension mechanism is that it requires the AppSecret, which is information I am uncomfortable caching about applications created by the caller. Working with access tokens already requires caution, but losing an AppSecret could compromise the integrity of a caller’s entire app (although it looks like the AppSecret can be reset from http://developers.facebook.com).

I am considering what offline_access removal implies for FacebookPSModule. The overall model currently assumes that tokens can be saved/cached indefinitely, but after Offline Access Removal kicks in, this will no longer be the case for user access tokens. The following are some ideas I am considering:

  1. Make New-FBConnection -ExtendAccess the default option (which will require providing the AppSecret for non-default AppIds).
  2. Always keep track of whether a connection refers to a page token or a user token (possibly keep the page ID and other information as well).
  3. Only “cache” page access tokens; the user must explicitly save and load user access tokens with Write-FBConnection and Read-FBConnection. (I would like to hear from the customer base whether they use FacebookPSModule primarily for user operations or, as I anticipated, primarily for page operations.)
  4. Create a function to replace the token in a token file with an extended token. This can be scheduled to run periodically to prevent token expiration for one or many saved tokens. This is already possible using Get-FBExtendedAccessToken but a helper function would be convenient. This will require providing the AppSecret for non-default AppIds.
  5. When the current connection is read from a file, extend the token in the file by default if it is older than 2 weeks. (TBD how we get the AppSecret for non-default apps.)

Please follow up on this thread with your thoughts or preferences. Remember, this is for you!

Thanks,

Jon