Announcement Announcement Module
No announcement yet.
Keeping Up With Facebook API Changes Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Keeping Up With Facebook API Changes

    I looked through the documentation, but didn't see any information on how Spring Social will keep up with changing APIs. How quickly will Spring respond to changes, i.e. new spring-social release? How will changes in spring-social APIs be communicated? What about backwards-compatibility?

    I really like spring-social so far and want to use it. My team does 3-4 releases per year. Inevitably, Facebook and Spring will change and an inopportune time. My goal is minimize impact to product and customers. It might be easier to integrate with Facebook directly but why duplicate what's in spring-social?

    Thanks in advance for any info.


  • #2
    It's my intent to keep up with those changes and implement them in Spring Social Facebook as quickly as I can. Of course, I have other priorities as well, so I can't promise a next-day turnaround on Facebook API changes.

    Fortunately, with the exception of some big-ticket items, Facebook is really good about notifying their developer community in advance of any changes that they know are coming up. They have a 90-day advance notice policy on any breaking changes, so that gives me plenty of time to react...I just have to keep up with their announcements (which I try to do weekly).

    In general, if there is a breaking change to the Facebook API, I try to react to that as quickly as is reasonable...within a day or two of learning about it. If there's some new feature in the Facbeook API, I make sure to slate it for the next release. And, as always, if there's something new that's of super-importance to you, you're always welcome to open an issue in Jira to ask for it to be done sooner...I can't promise that I'll be able to do it, but if you ask I'll certainly consider it.


    • #3
      facebook offline access removal api change

      Hi, is the facebook offline access removal change going to be tackled in springsocial? Is it already?



      • #4
        hi iam kusuma .i am new to this forum
        here is so usefull information .


        • #5
          Sorry for the late reply...I somehow missed your question regarding offline access removal. Here's what I have in mind for that...

          Facebook's removal of offline access is in many ways a good thing and in many others an unfortunate thing. In the past, offline access was a workaround for the short 2-hour expiration imposed on Facebook access tokens (although that's not what it was really intended for). Unfortunately, Facebook doesn't implement refresh tokens per the OAuth 2 specification and therefore, with offline access going away, we are now faced with the problem of how to keep a token alive for long-term use.

          Facebook addressed this (partially) by offering a new long-term 60-day token instead of a 2-hour token. That helps a about 1,438 hours. But when that 60-day token expires you'll still need to get a new token. Facebook's documentation on the subject is a bit confusing, but I believe I've sorted it out to say the following:

          - If you obtain a client-side token, it's good for only a few hours, but can then be exchanged for a 60-day token.
          - If you obtain a token via the server-side API (which is what Spring Social does), then that token is good for 60 days without needed to exchange a short-term token first.
          - Only short-term tokens can be exchanged for long-term 60-day tokens.
          - Therefore, server-side tokens are good for 60 days and the only way to get a fresh token after the 60 days is to go through the authorization process again (which is also how you'd get a fresh token before if you didn't ask for offline access).

          My own testing seems to confirm this understanding.

          So, although Spring Social does have support for refreshing tokens per the OAuth 2 specification, it does not have anything in place to deal with Facebook's non-spec approach to refreshing expired tokens--aside from supporting the authorization flow which would give you a new token. However, I do have some work in progress that will automate that to some degree. Essentially, I'm working on some stuff right now that will detect an invalid token (expired or otherwise) and automatically take the user back through the authorization flow for Facebook to get a fresh token. It's just a prototype right now, but it looks very promising. I'm working to get it out of prototype mode and into Spring Social for v1.1.0.


          • #6

            Thanks for all the knowledge, it really is priceless!

            My question is have you made any updates on this issue?

            I have a 60 day token in use for my customers website, but I know it will expire soon (breaking their feed).
            Can I automate a "refresh" without going through Facebook's OAuth2 Dance?

            Also, there a way to get a user's public Facebook page's (not profile) timeline WITHOUT the OAuth2 Dance?

            As I understand it , you MUST get a token first. Is that correct?

            Thanks in advance.


            • #7
              There's some work in the latest snapshot builds with regard to ReconnectFilter that takes care of expired tokens. I'm hoping to release it in a 1.1.0.M3 release soon, but I'm still tidying it up. You're certainly welcome to look at what's there and try it out (in fact, that'd be awesome if you could try it and give me feedback).

              There's no way to refresh a Facebook token without going through the OAuth dance. If Facebook were to implement refresh tokens per the OAuth 2 spec, then you could exchange a refresh token for a new access token. But Facebook doesn't work that way, so you must go through the dance.

              And no...there's no way to get a page's timeline without a token. For example, if you request, then you'll get back an HTTP 400 response with the following error in the body:

                 "error": {
                    "message": "An access token is required to request this resource.",
                    "type": "OAuthException",
                    "code": 104
              I'm not sure why that is, though. A page's feed is essentially public through the website, so why isn't it public through the API? I don't know.