I’m tweaking a site that has been using FB authentication and access tokens for awhile to deal with the deprecation of offline_access, and, in particular, doing the fb_exchange_token thing to get extended-duration tokens for the site’s users. It seems to be working, but I’ve got some questions. My basic approach is:

• I get the user logged in through the usual server-side back-and-forth procedure, finally giving me a valid access token for the user. This works fine, and appears to be valid for 5300 seconds or so, like the standard/original tokens.

• I then immediately do the fb_exchange_token call; this succeeds and gives me a new access_token that’s good for a couple of months. This is the token that my site saves away for future use when it does things on behalf of the user.

This makes sense, right? It seems a little redundant to make one call right after another, but it’s getting me the extended-lifespan token, which is what I want. I suppose I could use the original token for as long as it lasts and not bother with the exchange until the original token expires, but (a) it seems like I might as well get and use the extended one from the start and (b) it’s not clear to me that an expired token can be exchanged for a extended-duration token.

So: Does anyone see any problems with this approach? Thanks!