This used to be a relatively simple thing to do (not as simple as it was a year ago, and now even less simple). Caveat: I am not well-versed in the Facebook API — I don't build apps; I just build web sites, and every once in a while need to display a simple (but far too custom for a facebook widget) display of a facebook page's feed. No problem, usually, but…
I usually just used a client token — just generated it once and stored it permanently as a variable. But for this site, accessing the feed requires a user access token because it's age-restricted (alchohol site). The way this would have been done earlier is to just generate a token with "offline_access", and I could store that permanently as a variable. But offline_access has been deprecated.
From what I understand, now my only option is a long-term access token. But these must be extended every sixty days.
All I want to do is display a feed — I don't want the user to have to do anything but see the feed — never be prompted to log in, etc. And I certainly don't want myself or my client to have to generate a new token every two months.
Is there some simple, permanent (I mean, until facebook changes the rules again) way to do this?
The offline access feature is still enabled but is deprecated and will (very soon) be removed.
Facebook does not provide an exact replacement for this feature. The only thing to do is to generate a long term token and regenerate it when it's about to expire.
In other words (as Facebook conceives it, I guess) : if the user does not visit your site for more than 60 days, then they're not interested anymore and you can no longer access their data.
If it's not the case, you could simply renew the token from time to time. As you know the token's expiration date (the API returns it along with the token), you can store it and check the best opportunity to display the connection dialog. Even if the 60 days delay have expired, you could fetch a new token when they are back without asking for permissions again.
You can think of it exactly as the "remember me" cookie. It's meant to provide comfort, not to circumvent security policies : it's irrevocability (by simple means) causes privacy and security issues.