Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-8339] Android: Facebook offline_access deprecation

GitHub Issuen/a
TypeNew Feature
PriorityHigh
StatusClosed
ResolutionHold
Resolution Date2012-07-19T14:41:42.000+0000
Affected Version/sRelease 2.0.0, Release 1.8.2, Release 1.8.3
Fix Version/sSprint 2012-15 API
ComponentsAndroid
Labelsapi
ReporterMauro Parra-Miranda
AssigneePing Wang
Created2012-03-27T15:48:23.000+0000
Updated2017-03-21T21:13:13.000+0000

Description

Problem Description

Mail from FB with updates on the Android SDK, deprecating offline mode: "We recently made some important updates to the Facebook SDK for Android, and strongly encourage you to update to version 1.2.1 of the SDK in your app (VIN Viper). Specifically, this update includes: A bugfix for a null pointer exception when using the SDK with older versions of the Facebook for Android App Full support for the offline_access deprecation Reduced debug logging by the SDK to make apps more secure by default for users who may have malware installed on their devices You can download the latest SDK here: https://github.com/facebook/facebook-android-sdk/. Offline access will no longer be available as of May 1, 2012, and you can make sure your Android app is prepared by following our guide here: https://developers.facebook.com/roadmap/offline-access-removal/"

HD Discussion

http://support-admin.appcelerator.com/display/15810

Comments

  1. Ping Wang 2012-07-06

    PR https://github.com/appcelerator/titanium_mobile/pull/2517
  2. Blain Hamon 2012-07-19

    The story so far: Facebook changed its API and we updated to the new API. This is already in master and 2.1.1. Facebook does have a beta of their next API, but since this is a beta, it's not for consideration yet. Ping and I have looked over the SDK exposed by Facebook that isn't beta 3, and we found the following new APIs that are not yet exposed: {quote} Two new events: Titanium.Facebook.addEventListener('tokenextended', updateLoginStatus); Titanium.Facebook.addEventListener('tokenexpired', updateLoginStatus); Tokenextended fires when the session has been extended. Tokenexpired fires when the session has been expired either by the token being too old, the user changing their password, or the user removing the app from their Facebook. One new property: Titanium.Facebook.shouldExtendAccessToken This is a boolean, mapping directly to Facebook's API, which will return true if the access token has not been extended in the last 24 hours. One new function: Titanium.Facebook.extendAccessToken(force) Force is an optional boolean, default false. If force is false, extendAccessToken will only act if shouldExtendAccessToken is true. If force is true, it will try to extend the access token anyways. There was one feature for Facebook's iOS API that is missing in Facebook's Android API (known as frictionless requests) and as such, that was not exposed for reason of there being no way of offering parity. {quote} This was the intended spec. However, in testing this out (Yes, both Ping and I have implemented these already, but wanted to polish it up and test it out) with FB's servers, we've discovered a few things: Facebook's API, by default on native apps, sets the session duration to 90 days. We can try to spoof this to be a shorter time for testing purposes, but given the data on FB's own server, this would not be a fully accurate test. Furthermore, the Facebook API automatically calls extendAccessToken internally whenever it logs in or makes a data request. In rereviewing the documentation at https://developers.facebook.com/roadmap/offline-access-removal/, this behavior is documented as expected behavior for legacy and new iOS and Android apps. I do not have the data on customer demand for extending access tokens above and beyond what we're given already. As such, this new API may prove to offer very little actual utility and may prove difficult to conclusively test. I'd like some guidance on this, or rather, what is required of us for the Facebook API beyond what is currently implemented and various bug fixes. Given that Facebook has not updated the API code for several months, it is likely that there will be nothing new on the native API until Facebook's 3.0 API leaves beta.
  3. Blain Hamon 2012-07-19

    Shak, could you contact the customer about if they need this functionality above and beyond what we already provide?
  4. Blain Hamon 2012-07-19

    Waiting for customer feedback
  5. Sergej Kotliar 2012-08-01

    I am one of the customers that has been asking for this. (Strange that neither helpdesk nor email convo notified me in any way that this was being put on hold) What we need and that hasn't been working until now is some way to do the following: Check if the user's facebook token stopped being valid for some reason. If yes - obtain a new access token and store it. That's it. It seems Titanium.Facebook.extendAccessToken would do just that?
  6. Sergej Kotliar 2012-08-01

    If you want a way to test if your fix works you can simply change the password of the Facebook user, which invalidates all access tokens.
  7. Sergej Kotliar 2012-08-01

    By the way, the PR by Ping Wang seems to be Android-specific, can you confirm that you have also implemented this for iOS? And preferably provide some sort of documentation or example code of how to use it.
  8. Ping Wang 2012-08-01

    Hi Sergej Kotliar, the Facebook update for iOS has also been implemented. The PR is https://github.com/appcelerator/titanium_mobile/pull/2530/
  9. Blain Hamon 2012-08-06

    It turns out that the Facebook API for extending an access token works ONLY when a token is still valid. That is, once the token's invalid, the ONLY way to renew it is to have the user log back in and restore permissions. This is by design, as the Facebook user may remove an application's permissions, and allowing the application to reestablish connections without the user's consent would be a violation of security and privacy. The reason we don't automatically try to log in on failure is because it is possible that the end developer intends to fail silently on failure, and interrupting their code flow with unexpected UI would be bad design.
  10. Sergej Kotliar 2012-08-07

    Alright, but that being so, there must be a way of checking from within an app something along the following: if(user was ever logged in){ if(access_token_is_valid && access_token_needs_extending){ extend_access_token(); } else { show_login_screen(); } } Currently AFAIK there is no way to perform this operation from within the app.
  11. Blain Hamon 2012-08-09

        var fb=require('facebook')
        if(!fb.loggedIn){
          fb.dialog(...);
        }
        
    In the updated Facebook SDK that we're using, logging in or accessing anything from FB automatically tries to extend the token up to 90 days, making any API for it moot.
  12. Sergej Kotliar 2012-08-13

    Alright, but what if I don't want to access anything on FB but only extend the access token, which is then used in other places? And what is the story with these functions that you mentioned earlier? Titanium.Facebook.shouldExtendAccessToken Titanium.Facebook.extendAccessToken(force) Are they available? They seem to be using the old, non CommonJS approach, unlike the one you seem to be using above (that I haven't really seen anywhere). Can we get some documentation?
  13. Blain Hamon 2012-09-04

    [Require](http://docs.appcelerator.com/titanium/2.1/index.html#!/api/Global-method-require) can be used to get Titanium modules. Titanium.Facebook.loggedIn is the same as require('facebook').loggedIn. In an effort to make things more modular and align closer with commonJS modules, the latter is suggested. The story of shouldExtendAccessToken and extendAccessToken was that it actually was implemented internally, and when it came to test, Ping and I realized that it was actually quite impossible to verify. Expiring by revoking privileges is simple enough, but would not test extensions (as they were already expired, and thus, could not be extended). The only way to test shouldExtendAccessToken and extendAccessToken would be to not use the phone for 2-3 months, per test. We don't have any ties to Facebook, so we couldn't just have them tweak the token expiration time for us to test. It wasn't an easy decision to make, especially since it meant throwing away my own work, but I couldn't in clear conscience introduce untested and untestable API that at best does nothing 99% of the time.
  14. Sergej Kotliar 2012-09-19

  15. Lee Morris 2017-03-21

    Closing ticket due to the time that has passed since this was filed.

JSON Source