WPBook & WPBook Lite Updates for Deprecated Offline Access
Facebook’s developer roadmap is always changing. The latest change that impacts WPBook and WPBook Lite is the removal of the “offline_access” permission, coming in July:
The offline_access permission is deprecated and will be removed July 5, 2012. Until then, you can turn this change on or off using the “Remove offline_access permission” migration. On May 2, 2012, we will automatically turn the migration to “enabled” for all apps. If this breaks your app, you can turn the migration back to “disabled” until July 5, 2012 when it will be permanently “enabled” for all apps.
If that wasn’t confusing enough, check out the “Removal of offline access permission” page, which explains that:
While we are removing the use of the offline_access permission, through a migration setting in the Developer App, we are now allowing the option to use access_tokens with a long-lived expiration time that can be renewed each time the user revists your app (see exceptions below). For existing apps that are not using the offline_access permission, there are no changes required for your app, but you should consider using the new endpoint that allows the longer expiration time.
To translate a bit and summarize:
- On May 2nd, 2012, Facebook changed the setting for all existing apps so that the “remove offline_access” permission was enabled – but allowed users to change it back to disabled if this broke their applications
- As of July 5th 2012, the offline_access permission will disappear forever for everyone
- At some other point (I don’t know when) Facebook changed the migration’s name from “remove offline_access” to “deprecate offline_access” and linked the setting to these “long-lived” tokens
Ultimately, as I read the docs, this means you have to make a choice: you can either keep “deprecate offline_access” disabled, and use offline_access tokens, OR you can set “deprecate offline_access” enabled, and use “long-lived” tokens.
Long Lived tokens live for two months (60 days) and then the user has to re-authorize the application to get a new long-lived token.
I’ve updated WPBook (2.5.2) and WPBook Lite (1.4) to work with long-lived tokens. The apps will no longer ask for offline_access, and will check for token validity, flagging in the admin when a token is invalid.
If you already have a Facebook application set up and working with either WPBook or WPBook lite, you don’t need to do anything. Your tokens, which were granted under the old “offline access” regime, will keep working, for now. Per Facebook:
After the offline_access removal date, currently set for 7/5/2012 (see roadmap for exact date), all existing offline_access access_tokens will have their expiration time truncated to 60 days. This truncation will be transparent to the user and your app will continue functioning normally; Facebook will send an updated message through the weekly developer round-up when this truncation will occur.
If you don’t yet have a Facebook application, and are setting up a new one, you should start with “deprecate offline_access” enabled, and WPBook / WPBook Lite will be fine, but you will need to re-authenticate every 60 days.
Ultimately everyone will end up having to re-authenticate every 60 days.
These implementations are just the first pass to ensure that WPBook and WPBook Lite keep working. Next step will be to actually store the expiration returned with the token and be able to inform the user before the token becomes invalid, not just let them know after the fact.