That's the nature of OAuth 2 providers; the OAuth 2 specification allows for tokens to expire and most providers (including Facebook) implement that part of the specification. (Twitter is an OAuth 1.0a provider, so it doesn't expire tokens.)
Per the specification, clients can renew expired tokens by issuing a refresh token in exchange for a new access token. And *most* providers implement that part of the specification, too. Facebook, however, does not. It's an incredibly long and frustrating story, but to sum it up Facebook tokens expire after about 60 days after which the only way to get a new token is to walk the user through the authorization flow again. (There's also a way to exchange a short-lived token for a long-lived token, but that only applies to client-side code, not server-side code. There also used to be a way to ask for non-expiring tokens from Facebook, but that has since been deprecated.)
Currently Spring Social doesn't deal with expired tokens in a Facebook-specific way. The best thing you can do is catch that exception, clear out the connection, then send the user back through ConnectController to get a new connection. But I'm currently working on a solution to this to automate the handling of expired FB tokens (as well as a few other problems); see https://jira.springsource.org/browse/SOCIALFB-87. I've got a rough prototype written already and it's showing some real promise, but I'm not finished yet. Watch that issue to know when it is complete.
Craig Walls
Spring Social Project Lead
Member
Reply With Quote
