Login/Register
Facebook Graph API rejects newly created access token
Asked Answered
Solved facebookfacebook-graph-api-v2.0spring-social-facebook
J

7

32

Earlier today, the Facebook login flow of our web application stopped working for some users. When we try to fetch the current profile, an error is returned. It claims that the access token we just generated by redirecting the user to the OAuth login flow has been rejected.

The reason given is:

The access token is invalid since the user hasn't engaged the app in longer than 90 days

To me, this makes no sense since we do not store the access token anywhere except for the current session and recreate it every time the user logs in with Facebook.

The stacktrace from Spring Social for the GET /me call looks like this:

ERR c.s.f.v.resource.AuthenticationResource Exception when connecting with Facebook
org.springframework.social.RevokedAuthorizationException: The authorization has been revoked. Reason: The access token is invalid since the user hasn't engaged the app in longer than 90 days.
        at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleFacebookError(FacebookErrorHandler.java:85)
        at org.springframework.social.facebook.api.impl.FacebookErrorHandler.handleError(FacebookErrorHandler.java:59)
        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:775)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:728)
        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:702)
        at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:350)
        at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:220)
        at org.springframework.social.facebook.api.impl.FacebookTemplate.fetchObject(FacebookTemplate.java:215)

The issue is probably related to changes in the Facebook API, but I do not see how this affects the short lived access tokens we create on every login.

Juliusjullundur answered 1/5, 2018 at 22:1 Comment(15)
I get the same response for one of my web apps. I'm using Hybridauth to manage logins.Intumescence
confirmed, same hereRoughhouse
I notice this is also happening for another web app, for which I used the Facebook SDK code as communicated by Facebook, just a week ago.Intumescence
We have the same problem... no changes from our side...Checkered
Any update on it?Buckler
getting the same message since last night (1/5/18)Fulcrum
There has been a similar issue for mobile devices described here: developers.facebook.com/bugs/992564290891053. It could be a bug in FB. I'll raise an issue there.Juliusjullundur
Filed a bug with FB: developers.facebook.com/bugs/194772814474841Juliusjullundur
I am having the same issue using hello.js when I call /me (github.com/MrSwitch/hello.js) so it's not a SpringSocial bug.Broglie
Does anyone know if a new user ID will be issued for the user? Currently we are using the app unique user ID to identify registered user against our database.Anesthetize
I have the same problem with passport.jsJonjona
I'm using react-native-fbsdk and having the same issue. Anyone knows of a viable workaround for react-native?Kidd
Oh man. This issue is back for me.Intumescence
@Intumescence take a look: github.com/mavris/FacebookFixBibber
Thanks @BlackM. That said, I'm using hybridauth.Intumescence
J
6

Update:

The issue seems to have just been fixed by Facebook.

I filed a bug with Facebook and they are currently (5/3/18) working on a resolution.

There are several workarounds suggested here and in the bug comments. To summarize:

  1. Add a new permission that you previously didn't ask for to force re-authorization
  2. Catch the error and re-authorize the user manually via auth_type=reauthorize
  3. Switch to JS SDK and use client-side login

I'm going for solution #2 as it seems to be the most straight-forward way.

Juliusjullundur answered 3/5, 2018 at 8:20 Comment(3)
I have rolled out solution #2 to our production system and it works in our case.Juliusjullundur
We've changed the URL for the login to https://www.facebook.com/v2.10/dialog/oauth?auth_type=reauthorize&client_id=xxx&state=yyy&response_type=code&sdk=php-sdk-5.6.2&redirect_uri=xxx&scope=email%2Cuser_gender, but that didn't change anything. Do you think we have to catch the error and than redirect the user again to this URL?Clad
@MikeReiche luckily you don't have to do anything anymoreAnodic
R
11

I ran into this issue when our integration tests logged in with a test user - the following JSON came back from the Graph API:

{
    "error": {
        "message": "The access token is invalid since the user hasn't engaged the app in longer than 90 days.",
        "type": "OAuthException",
        "code": 190,
        "error_subcode": 493,
        "fbtrace_id": "F/1z2AsTRx8"
    },
    "timestamp_microsecond": "2018-05-30 11:22:01.353949"
}

That was a bigger problem as our test users don't "engage" with the app as such. To fix this I had to:

  • Log into the FB developer site
  • Find the app in question
  • Look under Roles -> Test Users to find the right user
  • Click on the Edit button for the user and then click "Login as this test user"
  • Once I'd logged in, go to Settings -> Apps & Websites
  • Find the App in the "Expired" tab for apps the user had not interacted with for longer than 90 days
  • Click the "View & Edit" button on the expired app
  • Click "Renew Access" in the popup

Once I'd done all those steps my test user (and integration tests) worked again.

Railroader answered 30/5, 2018 at 11:38 Comment(1)
Thank you! Same situation, different fix. I just deleted the test user and recreated since the specific user didn't matter to me. Why this will actually generate the access token but immediate fail is strange!Defrock
C
7

facebook responses:

Thanks for getting in touch. This is actually a known issue that we are already tracking in another bug report.

I'm going to merge your report with the existing one, so we can deal with the issue in one place. Please refer to this thread for updates: http://developers.facebook.com/bugs/194772814474841/

My temporal solution was to use JS SDK, it is working correctly in my case...

Checkered answered 2/5, 2018 at 21:53 Comment(1)
This is the bug report I filed as noted in a comment to my question. There are a couple of work-arounds suggested in the bug comments but none of them works for me. Switching to JS SDK is not an option of me. Hopefully, we'll get an update from FB today.Juliusjullundur
J
6

Update:

The issue seems to have just been fixed by Facebook.

I filed a bug with Facebook and they are currently (5/3/18) working on a resolution.

There are several workarounds suggested here and in the bug comments. To summarize:

  1. Add a new permission that you previously didn't ask for to force re-authorization
  2. Catch the error and re-authorize the user manually via auth_type=reauthorize
  3. Switch to JS SDK and use client-side login

I'm going for solution #2 as it seems to be the most straight-forward way.

Juliusjullundur answered 3/5, 2018 at 8:20 Comment(3)
I have rolled out solution #2 to our production system and it works in our case.Juliusjullundur
We've changed the URL for the login to https://www.facebook.com/v2.10/dialog/oauth?auth_type=reauthorize&client_id=xxx&state=yyy&response_type=code&sdk=php-sdk-5.6.2&redirect_uri=xxx&scope=email%2Cuser_gender, but that didn't change anything. Do you think we have to catch the error and than redirect the user again to this URL?Clad
@MikeReiche luckily you don't have to do anything anymoreAnodic
F
2

I have found this link in FB docs: Refreshing User Access Tokens

Which mentions that after 90 days users must re-establish their token, so in case of such error we should just redirect the user to register again.

They even mention that they remove tokens of non-active users in the top of this doc. Maybe they did a mistake and removed all users tokens. FB Announcement Anyhow the solution is to redirect users to resubscribe.

Fulcrum answered 2/5, 2018 at 7:41 Comment(4)
I found that too. The problem is that the user just went through the login flow in my case. We are always refreshing the user token and not storing it anywhere as I wrote in the question.Juliusjullundur
It's not YOUR token, it's the USER token, they are expiring their tokens every 90 days, so they are forcing us in such case to redirect users to resubscribe to our appFulcrum
I'm with @Thomas: I do not store anything in relation to the login process, then initiate the login process. So, anything that could be expired was just presented to me by Facebook, when trying to login using Facebook.Intumescence
I am using Laravel Socialite and running into the same problem. I do not store tokens anywhere and frankly I do not know how to make the code send the user back to "resubscribe". My understanding is that Facebook does this, and it seems Facebook themselves should be prompting my users to re-approve the app if they see that the token is invalid because of this reasonAyres
M
1

The bug persist according to discussion

According to a user's comment of mentioned discussion, we revoked permissions of every user of our app and it worked. For this we used next graph api endpoint. We had to persist the users' facebookIDs.

Regards

Moquette answered 3/5, 2018 at 14:41 Comment(1)
In my case, I also need to revoke every user's permissions, even though I didn't store any Access tokens! Any attempt to re-request the permission also failed. I don't understand why FB can't handle re-asking the user automatically and gracefully! I notice it may be related to the use of "user_friends" permission which now require additional App review.Heredity
B
0

TEMPORARY SOLUTION For iOS you need to change SDKs code to support "reauthorize". In order to change source code you will need to download it using CocoaPods. Then copy the following functions over pods: https://github.com/mavris/FacebookFix

Bibber answered 15/5, 2018 at 12:37 Comment(0)
I
-1

Add Permission Code in your App

Likes

Android : fbLoginButton.setReadPermissions(Arrays.asList(EMAIL));

IOS: loginButton.readPermissions = @[@"public_profile", @"email"];

Intersex answered 2/5, 2018 at 7:18 Comment(6)
My app is a web application and not a mobile application and I'm requesting the email and user_birthday permission.Juliusjullundur
Are you already have problem if request permission? In my case I solve the problem after add permission.Intersex
I'm also using a web app. And I also already explicitly asking for particular permissions.Intumescence
As I know facebook SDK default permission are public_profile and email. if you are not request default permission. I recomand that you should contains default permission.Intersex
Before I solve the problem in my app, I don't requset any explicit permission. But today morning suddenly occur this problem. So I found the Facebook login github sample code. I found differ part from my code and sample code that is requst permission. Finally I solve the problem in my app. So I think before Facebook SDK support default permission, But today it was changed.Intersex
@KiyoungLee I just gave this a try and added the default public_profile permission just to make sure, but it did not have any effect.Juliusjullundur

© 2022 - 2024 — McMap. All rights reserved.