Sensible solutions to the removal of the offline_access permission

Question

Am coming back to building a FB app after some time away from the FB Platform and I see that the old offline_access permission has been removed and replaced with long(ish)-expir

Answer 1

You've got the right two options, but I will point out a third option and a little-known-fact that may or may not be relevant for your specific scenario of "needs to push data to Facebook"

First, another option available assuming you either have mobile web or canvas implemented for your app is app to user requests or notifications. The user will get a little notification counter indicator next to your app name in the list of bookmarks. If they respond to the request or the bookmark/notification counter gets them to hit your app, you can trigger your server-side token renewal/extension process. This process is transparent to the user -- assuming they still have your app installed they see nothing.

Secondly, what a lot of people use offline_access for today is simply posting to the user's stream. If that is all you need and you don't need to do a bunch of FQL queries or hit other actions on the graph API, then you don't actually need offline_access or a current user token if you get the publish_stream permission. With publish_stream you can post while the user is offline by using your app access token.

Answer 2

here comes 3rd option as a suggestion.

For each authenticated user, you have access_token and expires_in (assume that you have stored them in your db already)

1) Write a scheduled task, that checks existing tokens with their expires_in value when you find any token close to expiration time,

2) you can renew this token from the server side by HTTP GET call (sample code below)

requestUrl = "https://graph.facebook.com" + "/oauth/access_token"
            + "?" + "client_id="+facebook_appId 
            + "&"+"client_secret="+facebook_appSecret
            + "&" + "grant_type=fb_exchange_token"
            + "&" + "fb_exchange_token="+currentToken;

            req = WS.url( requestUrl );
            Logger.info("renew token, req.url : %s", req.url);
            req.timeout = 20;
            resp = req.get();

            // access_token=....&expires=5181096
            Map<String, String> respMap = LocoUtils.decodeUrl( resp.getString() );
            token = respMap.containsKey("access_token")? respMap.get("access_token") : "";

            facebookToken.access_token = token;
            facebookToken.expires_in = respMap.containsKey("expires")?LocoUtils.stringToLong(respMap.get("expires")) : 0L;

Answer 3

For the specific "need to push data" scenario, facebook announced new Page object connections that allow you to create post's with a specific publication time. With these in theory you can get rid of the problem by authenticating the users when creating these and let Facebook post them instead of scheduled jobs on your side.