How to handle Facebook connection expired

[kiteflo]

Hi guys,

we're facing the issue of having an expired Facebook token for a user in our DB, so we thought about doing sth. like this:

// refresh FB connection in case of expired access token...
if (facebookConnection.hasExpired())
{
facebookConnection.refresh();
}

But this results in the exception attached below, so our simple question: how can we somehow extend the token???

Cheers, FLorian;

SCHWERWIEGEND: Servlet.service() for servlet [dispatcher] in context with path [/helios] threw exception [Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorExce ption: 400 Bad Request] with root cause
org.springframework.web.client.HttpClientErrorExce ption: 400 Bad Request
at org.springframework.web.client.DefaultResponseErro rHandler.handleError(DefaultResponseErrorHandler.j ava:76)
at org.springframework.web.client.RestTemplate.handle ResponseError(RestTemplate.java:486)
at org.springframework.web.client.RestTemplate.doExec ute(RestTemplate.java:443)
at org.springframework.web.client.RestTemplate.execut e(RestTemplate.java:401)
at org.springframework.web.client.RestTemplate.postFo rObject(RestTemplate.java:279)
at org.springframework.social.facebook.connect.Facebo okOAuth2Template.postForAccessGrant(FacebookOAuth2 Template.java:57)
at org.springframework.social.oauth2.OAuth2Template.r efreshAccess(OAuth2Template.java:119)
at org.springframework.social.connect.support.OAuth2C onnection.refresh(OAuth2Connection.java:101)
at com.helios.web.controller.CommonController.profile (CommonController.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.method.support.InvocableHa ndlerMethod.invoke(InvocableHandlerMethod.java:212 )
at org.springframework.web.method.support.InvocableHa ndlerMethod.invokeForRequest(InvocableHandlerMetho d.java:126)
at org.springframework.web.method.annotation.ModelFac tory.invokeModelAttributeMethods(ModelFactory.java :123)
at org.springframework.web.method.annotation.ModelFac tory.initModel(ModelFactory.java:97)
at org.springframework.web.servlet.mvc.method.annotat ion.RequestMappingHandlerAdapter.invokeHandlerMeth od(RequestMappingHandlerAdapter.java:614)
at org.springframework.web.servlet.mvc.method.annotat ion.RequestMappingHandlerAdapter.handleInternal(Re questMappingHandlerAdapter.java:578)
at org.springframework.web.servlet.mvc.method.Abstrac tHandlerMethodAdapter.handle(AbstractHandlerMethod Adapter.java:80)
at org.springframework.web.servlet.DispatcherServlet. doDispatch(DispatcherServlet.java:900)
at org.springframework.web.servlet.DispatcherServlet. doService(DispatcherServlet.java:827)
at org.springframework.web.servlet.FrameworkServlet.p rocessRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.d oGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:722)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 311)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:116)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:113)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:101)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.authentication.re memberme.RememberMeAuthenticationFilter.doFilter(R ememberMeAuthenticationFilter.java:146)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:45)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 323)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFi lter.doFilterInternal(CharacterEncodingFilter.java :88)
at org.springframework.web.filter.OncePerRequestFilte r.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1001)
at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

[michaellavelle]

Hi

I don't believe the refresh() call is supported by the current Facebook spring social implementation due to a limitation with the way Facebook issues tokens.

I thought I'd reply with details of a thread on the forum which address the issue you raise:

http://forum.springsource.org/showth...-authorization

From this thread:

"Per the specification, clients can renew expired tokens by issuing a refresh token in exchange for a new access token. And *most* providers implement that part of the specification, too. Facebook, however, does not. "

This thread discusses possible solutions to this, and I believe there is a JIRA for a potential solution targeted for a 1.1 version of Spring Social:

https://jira.springsource.org/browse/SOCIAL-328

Hope this helps,

Michael

[habuma]

As Michael said, Facebook's a different animal and doesn't support refresh tokens (even though they do expire their tokens). The *only* way to get a new access token with Facebook is to go through the authorization flow again. Doing so won't bother the user with an authorization page, though, as long as the authorization is still valid (tokens expire, but authorization are long-lived). If the authorization is still good and as long as you don't ask for any additional scope, Facebook will immediately redirect back without prompting the user with an authorization page.

SOCIAL-328 is still a work in progress, but it's coming along very nicely. It'll likely be in an upcoming milestone release of Spring Social 1.1.0 (either milestone 2 or milestone 3). It works by handling bad token exceptions of *any* reason (expired, revoked, etc) at the servlet level and redirecting the user through the authorization flow again. This means that it works for not only Facebook's oddball way of token renewal, but for any other provider where the token has gone bad.