How to build a permanent and public Facebook profile photo URL for non-App-Scoped User IDs?

Question

On October 24th 2020 Facebook will start blocking profile photos URLs if the user id is not an App-Scoped User ID (ASID).

We implemented Facebook login on our website before Facebook switched to ASID so we have many registered users before it. And the problem is that, for these old users, Facebook reports to us their global User Id (UID) instead of an ASID. "The ID will not change for people who already logged into your app. It will remain locked as the user's original Facebook ID." (source). And we have found no way to get an ASID for them (these answers do not work anymore: 1 and 2)

In these cases the classical Facebook profile URL will stop working:

Current situation:

https://graph.facebook.com/4/picture

From October 24th it won't work:

https://graph.facebook.com/4/picture?breaking_change=profile_picture

In the "picture" parameter in the JSON authentication token we get a photo URL but it is from Facebook CDN and it will probably expire (it changes every time a users logs in, even if almost no time has passed).

So the question is: how can we generate a public stable, permanent, picture URL for a user registered in our website before ASID was implemented?

We cannot add the access token to the URL because it will be used publicly in the website (we are not downloading the images, just inlining them).

Answer 1

Facebook API PM here. The best thing to do here is to use a client token on your request to fetch the image. This is normally not allowed on most Graph APIs, but is here in order to make it easier to migrate cases like this.

Unlike app tokens, a client token is safe to expose to users and is used for cases like this.