Facebook oauth2 API refresh tokens

Question

I am building an application that does not have a client interface.

At the setup step: The user logs into the server throught a browser once using oauth, and the server

Answer 1

I think your scenario can be covered through Facebook's mechanism. But you need to support a re-login if some error occur while using long lived access token. This can happen due to security measure taken by Facebook (ex:- data breach, cryptographic breach) or when user revoke tokens or change password or when tokens are not used for a longer time.

Steps to follow (According to their docs),

1. Obtain a User access token

   These are short lived

   Short-lived tokens usually have a lifetime of about an hour or two

2. Exchanging Short-Lived Tokens for Long-Lived Tokens

   These have life span of around 60 days, even when they are not used.

   long-lived token generally lasts about 60 days.

Basically, once you obtain a long lived token, you can use it from the server application. During this process, you required a client which used browser only to obtain short lived access token.

But as previously mentioned, these tokens can expire,

These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.

So you will require to obtain new ones by going through above two steps.