4

I've been developing an app for the past few weeks and up until now there have been no issues. Just a couple days ago a strange bug has started occurring:

My application uses the PHP SDK and implements the Javascript SDK for user authorization. The user is allowed to roam the application freely, but when they click on a video, FB.login is called to request permissions from the user and get an access token.

jQuery Code

FB.login(function(response) {

    if (response.authResponse) {

        //Set global vars
        fb_uid = response.authResponse.userID;
        fb_token = response.authResponse.accessToken;

        //If user has already authorized the app
        if (response.status === 'connected') {

            //Create the user record
            $.ajax(site_url + '/facebook/create_fb_user', {
                type: 'POST',
                dataType: 'json',
                data: {fb_uid: fb_uid, token: fb_token},
                success: function (data) {
                    user = data.resp.fb_user;
                    viewVideo(item);
                }
            });
        };
    };
}, {scope: "publish_stream"});

PHP Code

try {

    $this->_fb->setAccessToken($this->request->post('token'));

    $data = $this->_fb->api("/me");

    $model = new Model_Fbuser;
    $model->data = array(
        'fb_uid' => $data['id'],
        'fb_token' => $extended_token
    );
    $resp = $model->update();

    return $this->render_json(array(
        'success' => TRUE,
        'resp' => $resp
    ));

} catch (Exception $e) {

    return $this->render_json(array(
        'success' => FALSE,
        'error' => $e->getMessage(),
        'token' => $this->request->post('token')
    ));

}

The first time the user does this, the FB.login call returns a valid access token, the PHP SDK is able to set the token, and everything works as expected.

However, should the user revoke the application's access in their App Settings, and then return to the application, they are presented with the FB.login once more, but this time, the call returns the same access token they were previously given, which has already had its access revoked. Trying to set the access token with the PHP SDK throws the exception: "Invalid OAuth access token."

Yet if I then check the token in the Facebook debugger, is says it is valid.

Edit: Further investigation reveals that the user is issues the same access token every time in the same session. If the user logs out, then logs back in, then they will receive a new valid token. But if they try to get a new token without logging out first, Facebook reissues them the same invalid one. When trying to use this access token to query information about the user, this is the response:

{"error":{"type":"OAuthException","message":"Error validating access token: The session was invalidated explicitly using an API call."}}
4

1 回答 1

1

如果你以这种方式得到“无效的 OAuth 访问令牌”错误,我通常会调用 FB.logout(),然后在回调中立即调用 FB.login()。

FB.logout(function(response) {
  // user is now logged out
  FB.login(...)
});

不理想,但解决此类用例的最佳方法。

于 2014-01-14T13:07:26.167 回答