Earlier today, the Facebook login flow of our web application stopped working for some users. When we try to fetch the current profile, an error is returned. It claims that the access token we just generated by redirecting the user to the OAuth login flow has been rejected.
The reason given is:
The access token is invalid since the user hasn't engaged the app in longer than 90 days
To me, this makes no sense since we do not store the access token anywhere except for the current session and recreate it every time the user logs in with Facebook.
The stacktrace from Spring Social for the GET /me
call looks like this:
ERR c.s.f.v.resource.AuthenticationResource Exception when connecting with Facebook
org.springframework.social.RevokedAuthorizationException: The authorization has been revoked. Reason: The access token is invalid since the user hasn't engaged the app in longer than 90 days.
at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleFacebookError(FacebookErrorHandler.java:85)
at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleError(FacebookErrorHandler.java:59)
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:775)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:728)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:702)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:350)
at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:220)
at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:215)
The issue is probably related to changes in the Facebook API, but I do not see how this affects the short lived access tokens we create on every login.
I ran into this issue when our integration tests logged in with a test user - the following JSON came back from the Graph API:
{
"error": {
"message": "The access token is invalid since the user hasn't engaged the app in longer than 90 days.",
"type": "OAuthException",
"code": 190,
"error_subcode": 493,
"fbtrace_id": "F/1z2AsTRx8"
},
"timestamp_microsecond": "2018-05-30 11:22:01.353949"
}
That was a bigger problem as our test users don't "engage" with the app as such. To fix this I had to:
- Log into the FB developer site
- Find the app in question
- Look under Roles -> Test Users to find the right user
- Click on the Edit button for the user and then click "Login as this test user"
- Once I'd logged in, go to Settings -> Apps & Websites
- Find the App in the "Expired" tab for apps the user had not interacted with for longer than 90 days
- Click the "View & Edit" button on the expired app
- Click "Renew Access" in the popup
Once I'd done all those steps my test user (and integration tests) worked again.
facebook responses:
Thanks for getting in touch. This is actually a known issue that we are already tracking in another bug report.
I'm going to merge your report with the existing one, so we can deal with the issue in one place. Please refer to this thread for updates: http://developers.facebook.com/bugs/194772814474841/
My temporal solution was to use JS SDK, it is working correctly in my case...
Update:
The issue seems to have just been fixed by Facebook.
I filed a bug with Facebook and they are currently (5/3/18) working on a resolution.
There are several workarounds suggested here and in the bug comments. To summarize:
- Add a new permission that you previously didn't ask for to force re-authorization
- Catch the error and re-authorize the user manually via
auth_type=reauthorize
- Switch to JS SDK and use client-side login
I'm going for solution #2 as it seems to be the most straight-forward way.
I have found this link in FB docs: Refreshing User Access Tokens
Which mentions that after 90 days users must re-establish their token, so in case of such error we should just redirect the user to register again.
They even mention that they remove tokens of non-active users in the top of this doc. Maybe they did a mistake and removed all users tokens. Anyhow the solution is to redirect users to resubscribe.
The bug persist according to discussion
According to a user's comment of mentioned discussion, we revoked permissions of every user of our app and it worked. For this we used next graph api endpoint. We had to persist the users' facebookIDs.
Regards
TEMPORARY SOLUTION For iOS you need to change SDKs code to support "reauthorize". In order to change source code you will need to download it using CocoaPods. Then copy the following functions over pods: https://github.com/mavris/FacebookFix
Add Permission Code in your App
Likes
Android : fbLoginButton.setReadPermissions(Arrays.asList(EMAIL));
IOS: loginButton.readPermissions = @[@"public_profile", @"email"];
来源:https://stackoverflow.com/questions/50124462/facebook-graph-api-rejects-newly-created-access-token