How do I renew a Facebook user_access_token if I deal with a lot of AJAX?

Question

Please tell me if I\'m understanding correctly. (because I might not be.)

1. User posts something on my site. (He checked \"also post to Facebook\".)
2. Client

Answer 1

You can't simply do a server side exchange because that bypasses the user's control of the authorization.

Like others have said, you should use the javascript sdk to facilitate updating the access token. By default, it uses an iframe and falls back on a popup to handle communicating with Facebook. This should work well with your backbone.js application.

I like to define a javascript function that takes success and denied callbacks to execute after checking the facebook auth status:

function checkFBAuth(success, denied, scope) {
    FB.getLoginStatus(function (response) {
        if (response.status === 'connected') {
            success(response);
        } else {
            FB.login(function(response) {
                if (response.status === 'connected') {
                    success(response);
                } else {
                    denied(response);
                }
            }, scope);
        } 
    });
};

This will go ahead and run FB.login if the user's session has expired. In your success callback, you could also pass response.authResponse.signedRequest as signed_request in your AJAX POST data. This will allow most FB SDK's (for example, the PHP SDK) to recognize and validate the signed request and set the user id and access token. You could also pass the whole response.authResponse data with your POST. That has the accessToken, userID, and expiresIn time.

See https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/ for the docs on the Facebook Developers site.

Also, if you enable the offline access deprecation migration, you can exchange access token to extend the expiration date to 60 days instead of the default 2 hours. See https://developers.facebook.com/docs/offline-access-deprecation/