How to extend access token validity since offline_access deprecation

Since the offline_access Permission is deprecated in Facebook's Authentication flow, we have problem getting the so called long lived access tokens without that permission.

In Facebook's document about the deprecation it says, that server side OAuth generated access tokens will be long lived, but they are not.

Am I missing something? Some setting in app settings? Some special code I need to use to extend expiration time of access tokens? As I understand the documentation, for server side authentication, the access token which can be accessed by getAccessToken() method of PHP SDK when the user is logged in is long lived.

Edit (August 14th 2012):
A week ago the official Facebook PHP SDK was updated. The function name was changed to setExtendedAccessToken, and it was decided we actually needed to destroy the session afterwards, to remove the risk of having two active sessions.
Also, the function no longer actually returns the token, but instead stores it within the persistant data. You can therefore get the new access token with the public function getAccessToken afterwards. Grab the new SDK from official Facebook PHP SDK github page to make sure you're up to date.

Original Answer:

I have added a new public function to the base_facebook.php file, which returns an new access token which expires in 60 days. You can make a request to this function after you've received the normal access token. I've not tested, but I assume you also need to enable 'deprecate offline_access" in your Advanced settings of the Developer App.

Just add this to your base_facebook.php inside the facebook class and make a call to it. It works for me.

 public function getExtendedAccessToken(){
	
	try {
      	// need to circumvent json_decode by calling _oauthRequest
	      // directly, since response isn't JSON format.
		$access_token_response =
			$this->_oauthRequest(
				$this->getUrl('graph', '/oauth/access_token'), array(
					'client_id' => $this->getAppId(),
					'client_secret' => $this->getAppSecret(),
					'grant_type'=>'fb_exchange_token',
					'fb_exchange_token'=>$this->getAccessToken()
				)
			);
    } catch (FacebookApiException $e) {
      // most likely that user very recently revoked authorization.
      // In any event, we don't have an access token, so say so.
      return false;
    }

    if (empty($access_token_response)) {
      return false;
    }

    $response_params = array();
    parse_str($access_token_response, $response_params);
    if (!isset($response_params['access_token'])) {
      return false;
    }

    return $response_params['access_token'];
}

Actually what was said:

>If the access_token is generated from a server-side OAuth call, the resulting access_token will have the longer expiration time. If the call is made while there is still a valid access_token for that user, the returned access_token from this second call will remain the same and only the expiration time will be extended. Again, calling this multiple times during the same day will result only in the first call extending the expiration time.

Which means that it will be just longer than client-side generated token, and to receive extended token (60 days) you need do it manually by issuing request to:

https://graph.facebook.com/oauth/access_token?             
    client_id=APP_ID&
    client_secret=APP_SECRET&
    grant_type=fb_exchange_token&
    fb_exchange_token=EXISTING_ACCESS_TOKEN

This token can still became invalid for several reasons, and how to handle this described in How-To: Handle expired access tokens blog post.

Update:
As of Aug 07, 2012 you can use setExtendedAccessToken method to extend access_token instead of manually constructing URL and retrieving details.

//using a javascript for popup for facebook login

FB.login(function(response) {

            if (response.authResponse) {

	               var accessToken = response.authResponse.accessToken;

//got the accesstoken with 1-2 hours expire time

//got the accesstoken into a controller called facebook controller

        $request = $this->getRequest();
        $params = $request->getParams();
        $token=$params['accessToken'];

//taking the access token to extend to 60days

        $conf = $this->getConfigs();
        $appid = $conf['fbdetails']['appid'];
        $secret = $conf['fbdetails']['secret'];
        $baseurl = $conf['app']['baseurl'];

//After the execution of below code , we will have a response with acess token expire time to 60days.

        $token_url = "https://graph.facebook.com/oauth/access_token?client_id=".$appid."&client_secret=".$secret."&grant_type=fb_exchange_token&fb_exchange_token=".$token;

// Above response is given for parsing.

        $c = curl_init();
        curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($c, CURLOPT_URL, $token_url);
        $contents = curl_exec($c);
        $err  = curl_getinfo($c,CURLINFO_HTTP_CODE);
        curl_close($c);

        $paramsfb = null;
        parse_str($contents, $paramsfb);

//after the parsing the contents in the above execution code the new extended accesstoken is stored.

        $user_session = new Zend_Session_Namespace('fbuser');
        $user_session->access_token = $paramsfb['access_token'];

//stored to session.

        $this->_redirect('/home');

//Have a nice coding

An access token generated through a server-side OAuth call will be of the extended (longer) kind and you don't need to exchange it. It is already an extended token. The only thing you must do is enable "Deprecate offline access" in your app settings. This is of course only necessary if "Deprecate offline access" was previously disabled.

Then, when you authenticate users through Facebook you will receive an access token that lives for 60 days. Authenticating multiple times during the same day will result only in the first authentication extending the expiration time.

Should you need an access token that NEVER expires for a PAGE, see my answer to a similar question here

From the developers page:

> By using a long-lived user access token, querying the [User > ID]/accounts endpoint will now provide page access tokens that do not > expire for pages that a user manages.

this is for extending pages access token to expiring never, and extending the life of user access tokens expiring after 2 months(the 'new access token').

Ok so it took about a week of research but here is my solution. in the https://developers.facebook.com/tools/explorer/ make sure that you have manage_page as part of your access_token. after that use this code with your app id, secret, and redirect:

<?php
   app_id = "APP_ID";
   $app_secret = "APP_SECERET";
   $post_login_url = "REDIRECT_URL";
	
	
   $code = $_REQUEST['code'];

   //Obtain the access_token with publish_stream permission 
   if(empty($code)){ 
      $dialog_url= "http://www.facebook.com/dialog/oauth?"
       . "client_id=" .  $app_id 
       . "&redirect_uri=" . urlencode( $post_login_url)
       .  "&COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES";
      echo("<script>top.location.href='" . $dialog_url 
      . "'</script>");
     }
    else {
		
			
      $token_url="https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id 
	   . "&redirect_uri=". urlencode($post_login_url)
       . "&client_secret=" . $app_secret
       . "&code=" . $code;
      $response = file_get_contents($token_url);
      $params = null;
      parse_str($response, $params);
      $access_token = $params['access_token'];
	  echo 'access token: ' . $access_token.'<br>';
	  
		if($access_token){
		  
		  
		  $token_url="https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id 
	   . "&redirect_uri=". urlencode($post_login_url)
       . "&client_secret=" . $app_secret
	   .'&grant_type=fb_exchange_token'
	   . "&fb_exchange_token=" . $access_token;
	   $response = file_get_contents($token_url);
	   $access_token = $params['access_token'];
	   echo 'new access token: '.$access_token;
	   
		}
	}*/

?>

After that copy the 'new access token' and go back to https://developers.facebook.com/tools/explorer/ When you get there past in your new access token into the the access token field. Then click submit. After that in the node you will see a +__________ click on this and scroll down to the accounts and click that. find the page that you need the access token for and copy and paste it into the access key field. click debug and you will see that it will never expire. save that token it will stay valid as long as you do not reset your apps secret.

Inspired by previous answers, I wrote a simple token self-renewal program. First, just put your current token in the 'token.sec' file.

This program will read a token from the file, and update with a new token if everything is OK. In other programs, you just need to use the token:

$access_token = file_get_contents("token.sec");

Here we are:

<?php
$app_id = "<your app id>";
$app_secret = "<your app secret>";
$access_token = file_get_contents("token.sec");

$token_url="https://graph.facebook.com/oauth/access_token?"
   . "grant_type=fb_exchange_token"
   . "&client_id=" . $app_id 
   . "&client_secret=" . $app_secret
   . "&fb_exchange_token=" . $access_token;

$ch = curl_init($token_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch); 
if($response === false) {
    die ('Curl error: ' . curl_error($ch));
}

// Close handle
curl_close($ch);

// parse the output
parse_str($response, $params);
if(!isset($params['access_token'])) {
    die("No access token");
}

echo ("New token: $access_token\n");

// eveything looks OK
rename("token.sec", "token.sec.back"); // just in case
$myfile = fopen("token.sec", "w") or die("Unable to open file!");
fwrite($myfile, $access_token);
fclose($myfile);
?>

Finally, we can add this in our crontab to renew the token once per momth:

0 0 1 * * cd /home/<path>; php exchangeToken.php