Should a user authorize each time i need an access token?

In the facebook authentication guide, i am suppose to:

1. Get the user to authorize my application, by redirecting them to authorize uri开发者_StackOverflow中文版.
2. Get my access token from facebook by hitting the /outh/accesstoken uri.

Lets just say, that for whatever reason, this token is no longer valid. Do i need to perform step #1, or can i hit the /outh/accesstoken uri again?

OAuth 2.0 allows for "refresh tokens" which will do exactly what you want (hit the access token endpoint for a new token). However, Facebook does not support them.

If you want access after the user initially signed in, then you have three choices:

1/ Use the FB JavaScript library to request access in an iframe. It's not using OAuth (yet) but it will do it with minimal user disruption.

2/ Reirect the user to the OAuth endpoint again. If they have already authorized the requested scopes, then it will direct back immediately.

3/ Ask for the "offline_access" extended permission. This should only be used rarely.

If the token is no longer valid, you have to get a new one.