Spring Social Facebook
  1. Spring Social Facebook
  2. SOCIALFB-66

Research the implications of offline_access deprecation

    Details

    • Type: Task Task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.M1
    • Component/s: None
    • Labels:
      None

      Description

      See https://developers.facebook.com/docs/offline-access-deprecation/.

      Facebook is deprecating offline_access and is now offering a new way to renew expired access tokens. This new approach is not the same as using a refresh token per the OAuth 2 specification, but is similar. This task is a reminder task to look into what implications this deprecation have on Spring Social. At very least, this will have impact on the showcase example which asks for offline_access. It will very likely play into the solution for SOCIAL-263.

        Activity

        Hide
        Gerrit Hübbers added a comment -

        Removal of the offline_access permission is now scheduled for October 3rd, 2012. See https://developers.facebook.com/roadmap/

        Show
        Gerrit Hübbers added a comment - Removal of the offline_access permission is now scheduled for October 3rd, 2012. See https://developers.facebook.com/roadmap/
        Hide
        syed abudhaheer added a comment -

        How to handle refresh token automatically without repeat user authorization flow? you said that you have some prototypical work done for such a solution already. Can you please share that asap as facebook gonna remove offline access by Dec 5th 2012?

        Show
        syed abudhaheer added a comment - How to handle refresh token automatically without repeat user authorization flow? you said that you have some prototypical work done for such a solution already. Can you please share that asap as facebook gonna remove offline access by Dec 5th 2012?
        Hide
        Craig Walls added a comment -

        Yes, I have begun some work on this and it's looking promising, but that work was set aside for some other stuff. I recently have picked it back up and am hoping to have it in a snapshot build and then in a milestone release within the next couple of weeks. That said, I also am focused on some other work regarding tighter integration with Spring Security and that work has a slightly higher priority. Again, I'm shooting to have both of these ready in the next couple of works, but they're both non-trivial bits of work, so I may only get one of them done in time for a M1 release.

        With that said, handling of an expired Facebook token is not a new problem starting on December 5th. It's just a new twist on an existing problem: How do I renew a token (from any provider) when that token is no longer valid (for any reason, including expiration or revocation)? For example, today, prior to December 5th, how would you handle the case where the user revoked your token from Twitter? The general answer is that you must go through the authorization flow again. Facebook doesn't offer refresh tokens and the ONLY way to renew an expired token is to go through the authorization flow again-and that's the same solution to dealing with a revoked token. I'm not working on a refresh token solution for Facebook, because no such solution is possible-I am working on automatic handling of invalid tokens, regardless of the provider or reason that they're invalid.

        So, back to your question: Yes, I am shooting to get something out prior to December 5th, but I am not making any promises.

        Show
        Craig Walls added a comment - Yes, I have begun some work on this and it's looking promising, but that work was set aside for some other stuff. I recently have picked it back up and am hoping to have it in a snapshot build and then in a milestone release within the next couple of weeks. That said, I also am focused on some other work regarding tighter integration with Spring Security and that work has a slightly higher priority. Again, I'm shooting to have both of these ready in the next couple of works, but they're both non-trivial bits of work, so I may only get one of them done in time for a M1 release. With that said, handling of an expired Facebook token is not a new problem starting on December 5th. It's just a new twist on an existing problem: How do I renew a token (from any provider) when that token is no longer valid (for any reason, including expiration or revocation)? For example, today, prior to December 5th, how would you handle the case where the user revoked your token from Twitter? The general answer is that you must go through the authorization flow again. Facebook doesn't offer refresh tokens and the ONLY way to renew an expired token is to go through the authorization flow again- and that's the same solution to dealing with a revoked token. I'm not working on a refresh token solution for Facebook, because no such solution is possible -I am working on automatic handling of invalid tokens, regardless of the provider or reason that they're invalid. So, back to your question: Yes, I am shooting to get something out prior to December 5th, but I am not making any promises.
        Hide
        Craig Walls added a comment -

        Given that this task is one to research the implications of offline_access deprecation and that I believe that has been explored, I'm closing this task. SOCIAL-328 was created to address the issue directly.

        Show
        Craig Walls added a comment - Given that this task is one to research the implications of offline_access deprecation and that I believe that has been explored, I'm closing this task. SOCIAL-328 was created to address the issue directly.
        Hide
        Marcel Pater added a comment -

        i'm not sure if this is the right place but there is another issue with the accesstokens on facebook. I recently had the problem that I got an ExpiredAuthentication exception, but as i checked the accesstoken it stated valid. It seems that the expiry date is only set initially. Is there a solution for this issue?

        Show
        Marcel Pater added a comment - i'm not sure if this is the right place but there is another issue with the accesstokens on facebook. I recently had the problem that I got an ExpiredAuthentication exception, but as i checked the accesstoken it stated valid. It seems that the expiry date is only set initially. Is there a solution for this issue?

          People

          • Assignee:
            Craig Walls
            Reporter:
            Craig Walls
          • Votes:
            7 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: