Authentication using Facebook with Passportjs: what is accessToken for, what should I store after registration?

Problem

I am using Passport to register/authenticate using Facebook. When oAuth is successful, I am returned:

  • accessToken
  • refreshToken
  • profile

Now... when a user successfully registers using Facebook, I store accessToken and the profile info. When somebody wants to login, and goes through the oauth motions again, my app once more gets accessToken and profile. Trouble is, accessToken is different. I actually expected the accessToken to be the same after the first authentication...

At this point, I am connecting my own local user with the facebook's id field from the profile. But... how would I actually use accessToken? Does it even make sense to keep it? If so, why would I actually keep it?

I actually expect accessToken to be the same, and use that to match a successful login. I obviously can't do that... so I am confused!

Problem courtesy of: Merc

Solution

You should store facebook Id. It should be in the profile object. Access token will change according to facebooks policy of authorization. What you should be doing is

  1. Get the user to login through facebook
  2. Check his facebook id against the facebook id in your database.

Access tokens expire frequently as described here

Solution courtesy of: Akshat Jiwan Sharma

Discussion

You need to keep accessToken if you want to query facebook's API on behalf of your logged-in-via-facebook user. If you want to use facebook just for login only, you can discard it. If you want to ask facebook for the user's most recent status update, for example, you need to include that accessToken as a parameter when making that API call. The point of the accessToken is that it allows a set of operations on behalf of a user, but it expires so if it falls into the wrong hands it cannot be used to cause as much damage as a permanent token or the user's actual password. It will be different every time by design.

Discussion courtesy of: Peter Lyons

This recipe can be found in it's original form on Stack Over Flow.