Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error validating access token when it's unnecessary #387

Open
Rubyist007 opened this issue Apr 14, 2024 · 1 comment
Open

Error validating access token when it's unnecessary #387

Rubyist007 opened this issue Apr 14, 2024 · 1 comment

Comments

@Rubyist007
Copy link

Hi
I met a problem related to how the gem gets a profile picture
In version 8.0, was added changes that add the access_token parameter to the avatar URL
Related issue
Related PR

We stored in our DB links to Facebook avatar URLs as provided by the gem with an access token, for example:

Facebook avatar URL with access token

https://graph.facebook.com/v5.0/{user id}/picture?access_token={access token}&type=large

But that token has an expiration date and when an access token is expired Facebook returns the next error:

{
  "error": {
    "message": "Error validating access token: Session has expired on Sunday, 03-Sep-23 07:41:10 PDT. The current time is Tuesday, 09-Apr-24 06:49:45 PDT.",
    "type": "OAuthException",
    "code": 190,
    "error_subcode": 463,
    "fbtrace_id": {fbtrace_id}
  }
}

The main issue here is that we actually don't need an access token to get a profile avatar

Facebook API use different types of user IDs: App-Scoped User ID, User ID, and Page-Scoped User ID

From Facebook documentation about PSID/ASID Matching we know that we use App-Scoped User ID to get Facebook user avatar

When a person uses Facebook Login on a website or a mobile app, an ID is created for the specific Facebook app, which is called app-scoped ID.

Based on Facebook documentation about the user picture we don't need an access token when we query an App-Scoped User ID
We could confirm that when just removing an access token from the avatar URL
Example:

Facebook avatar URL with access token

https://graph.facebook.com/v5.0/{user id}/picture?access_token={access_token}&type=large

⬆️ URL with access token return error as access token is expired

Same Facebook avatar URL without access token

https://graph.facebook.com/v5.0/{user id}/picture?type=large

⬆️ URL without access token allows us to download the user avatar

It seems that the alterations implemented in the gem version 8.0 might not have been entirely accurate
I believe that the root cause of the problem described in the changes for version 8.0 was the http URL, so the issue with fetching the image might not be related to the access token, but to the fact, that Facebook rejects non-SSL connections to the image endpoint since a while, as discussed here: #345 and fixed here: #346
The same conclusion was mentioned here #360
@Rubyist007 Rubyist007 mentioned this issue Apr 14, 2024
Open
@Rubyist007
Copy link
Author

Here is the PR I created to fix this error: #388
I will be happy to hear your thoughts about the issue and PR

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Rubyist007