I’ve been searching a lot but didnt find a concrete solution for this. My FB app’s user gets FB access token, then manually logs out of FB and the token is still valid. Why? Is this a bug? How do i determine if user has logged off FB?
No matter what back-end i use, i can manually log out from FB and put url like https://graph.facebook.com/me?access_token=OLd_ACCESS_TOKEN and I’ll get all info about the user.
Look here: scenario #4. The token must be invalid!
What i need is to determine which FB user is currently performing an operation on my FB canvas site. The FB api offers a single entry point for custom canvas application where user’s data can be obtained: the app’s canvas url (you parse signed_request string). Looks like from that point i should create cookie or whatever to remember user’s credentials (id, token) and use it for future operations. This is not so good as user can re-logon with another FB account in a different browser tab and continue working with my app under old account.
Well, if i want to know the current user then i need to check its access token for validity beforer every back-end operation. I redirect user to auth page (if not yet) and store his data in the cookie. Every next operation i extract user info from that cookie and use stored access token. But now, when token is valid even user has logged out from FB i can’t see ways to maintenance it all 🙁
Please help!
Thanks.
UPDATE!
Just found out that i can get different access tokens for the same user:
1) token extracted from signed_request parameter of my canvas Url is working well and becomes invalid once user logs off
2) token the CODE was exchanged to while server-side auth flow (redirect to https://www.facebook.com/dialog/oauth?…, catch CODE at specified redirect_uri, exchange CODE on token using https://graph.facebook.com/oauth/access_token?…) – well, this token remains alive for long.
Looks i need to work with the first case. Anyway, it all is not clear enough for me.
UPDATE2
Well, yes. The documentation says to use signed_request token otherwise, if it’s set not authenticated, run auth flow and get token by other way. The last way produces tokens which stayu alive if user logs off the application.