Access user profile from cron

Question

I am building an app that imports friends data into a local database and it's working fine.

I am trying to create a script that is run by a daily cron that will iterate through the user profiles in the local database and updates the friend data.

I am using the PHP SDK.

I have enabled the depreacte_offline_access flag.

Does this mean the access token will automatically expire in 60 days or do I need to do anything else?

If a user signes out of the app or facebook in the same browser can I still retrieve the profile data from the cron script?

Am I correct in thinking that all I need to do is retrive the access token with:

$access_token = $facebook->getAccessToken();

then store it in a database and then set the access token with:

$facebook->setAccessToken($new_access_token);

and then retieve the profile with

$facebook->getUser('/me');

?

Also how can I view the expiration date of the access token?

Below is a script to iterate through and retreive profiles but if I run it in the browser it only works for the current signed in user or I get the exception "OAuthException: Error validating access token: The session is invalid because the user logged out. "

<?php
require_once(THEME_INCLUDES_PATH . 'facebook.php');

$config = array();
$config['appId'] = APP_ID;
$config['secret'] = APP_SECRET;
$config['fileUpload'] = false; // optional

$facebook = new Facebook($config);

$sql = "SELECT `access_token` FROM `fb_user`";
$result = $db1->db_query($sql);

while($details = $db1->db_fetch_array($result)){

    if($details['access_token']){

        $facebook->setAccessToken($details['access_token']);
        $fb_user = $facebook->getUser('/me');

        if($fb_user){

            try {
                $fb_profile = $facebook->api('/me');        
                print_r( $fb_profile);
            }

            catch (FacebookApiException $e){
                echo $e;
                $fb_user = false;
            }
        }
    }
}
?>

Answer 1

You have no way of doing what you want now that the offline_access got deprecated.

The idea is that your app only has access to the user data when the user actually interacts with your application. The access token is valid for about 60 days (depending on how you get it), but it can get invalidated due to all kind of reasons (such as user removes your app, changes password, and many more).

When that happens, or the expiration dates arrives, there's nothing that you can do in order to get a new token, unless of course the user reengages your app and then you can get a new token or extend the one you have.

You'll have to make all of the data updating when the user actually interacts with your app and not later on.

In the official post about the deprecation of the offline_access it says:

The user must access your application before you're able to get a valid "authorization code" to be able to make the server-side OAuth call again. Apps will not be able to setup a background/cron job that tries to automatically extend the expiration time, because the "authorization code" is short-lived and will have expired.

---

Edit

The official post: Removal of offline_access Permission describes a new endpoint to extend valid access tokens, in one of two cases: If the app got the token from a client-side flow or with a signed request:

Using the new endpoint below, you will be able to extend the expiration time of an existing, valid access_token. If the access_token was originally generated from a client-side OAuth call or through a signed_request, the endpoint will actually return a new access_token.

It also states that:

If the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time.

So my advise is simple to use the server-side flow to generate the access token.

As for a list of token invalidating events, they don't have a complete list, but you can find info about it in the same page:

Handling expired tokens, user password changes, uninstalled apps, and user logout

Regardless if your app requested the offline_access permission, apps should gracefully handle an expired access tokens in situations where a user changes their password, deauthorizes an app, or logs out. More information on these cases including a simple code solution that leads to a uniform user experience can be found in this blog post .

And you can check this doc: Handling Invalid and Expired Access Tokens .