I want to implement a background job that will run in the background for the access token and refresh token. If the application is closed or not used, will still count the time of the access token and if the user opens the application again to have access if the token is not expired. My access token has 1 hour timer. I hope I explained it good. Thanks in advance any help will be appreciated.
I use flutter_secure_storage to store my access token and refresh token values.
Related
I am developing a Flutter application and I am using OAuth2 for authentication. The application can't be used if you are not logged in, it just shows a login screen and forces you to log in.
When I log in, I receive the following information from the authentication server:
access token
access token lifetime
refresh token
refresh token lifetime
When the access token is about to expire, I want to get a new one by sending refresh token to authentication server.
How would I implement the refresh token mechanism? I want to update the access token every time before it expires, even if user is not using the application (it is closed). If user needed to log in every time he opens the application, it would be very bad user experience. To avoid this, I want to refresh the token in background.
How can I achieve this to work on Android and iOS? Preferably without writing any native code for each of the platforms.
You can use Future.delayed to refresh the token before the expiration.
You can also run this part of code in background with background processes but your application must be in background.
Could anyone tell me what is default expiration time of refresh token and access token provided by Bing API?
The official docs state the following:
Refresh tokens are, and always will be, completely opaque to your application. They are long-lived e.g., 90 days for public clients, but the app should not be written to expect that a refresh token will last for any period of time. Refresh tokens can be invalidated at any moment, and the only way for an app to know if a refresh token is valid is to attempt to redeem it by making a token request.
So basically, they recommend you as a developer not to rely on this time span.
I've read a lot and this is the only solution I get to:
The first time the user logs in the app (with publish-actions) you get the token
Convert the token to Long-Lived Token
You can use it to publish for the next 2 months
If the user clicks on a post you send, the token is reset to another 2 months
Am I right? Is that the best solution?
all correct. I am not sure about the user click (didn't find that in the documentation https://developers.facebook.com/docs/facebook-login/access-tokens). You should be ready to handle errors in case the token expires earlier or in case of app uninstalls. I check if the token is still valid by getting the user basic info with the access token I have. If the call is successful, I use the token. If not, I redirect the user app authorization again, get another token, exchange it with another long-lived token, and use that one.
Sience Facebook canceled offline_access scope,The access token I get can only available for 2 days.I read their blog,and tried to refresh token every hour.But every time the token I get is just the same as I sent to.and it expires.
It is strange that IM Plus(http://plus.im/)Never need to refresh token(as long as I registed and add Facebook connect to it,about one month)I wonder how did they do that.I discovered they are still using 'offline_access' scope. Here is their URL to get access token
https://www.facebook.com/dialog/oauth?api_key=119600778096160&app_id=119600778096160&client_id=119600778096160&display=touch&domain=plus.im&locale=en_US&origin=2&redirect_uri=https%3A%2F%2Fs-static.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df3d1b1d90c%26origin%3Dhttps%253A%252F%252Fplus.im%252Ff232f2ca44%26domain%3Dplus.im%26relation%3Dopener%26frame%3Df336857b2c&response_type=token%2Csigned_request&scope=read_stream%2C%20publish_stream%2C%20xmpp_login%2C%20read_mailbox%2C%20offline_access&sdk=joey
So,How to get a long term access token just like they do?
Thanks.
This is the access token associated with my Facebook application -- the thing that comes back from https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECRET. Can I get this once from FB and save it away somewhere for future use, or do I need to refresh it on a regular basis?
Access Token Tool - Facebook Developers
App tokens do not expire and should be kept secret as they are related to your app secret.
I don't know for sure, but since the documentation does not state that you get back an expiration time for the access token, I guess that it's an educated guess that it does not expire.
But why does it matter? the application authentication process is much simpler than the one with users, so just save the token somewhere (db, memory) and then try an api call, if it fails just issue one call to obtain a new token, save that, and continue as usual.
If you want a token to manage a page, never-expiring token can be obtained by
Get user token
Exchange user token to long-living token (Valid for 30days)
Obtain a page token with this user token (This page token is not going to expire)
When you check the token you've got, check it on Debugger. You will now see 'Expires Never'.
Documentation is on Facebook Developers ,Scenario 5: Page Access Tokens
My app access token does not seem to have changed for just under a month. I do not know if it changes. For fun I just changed my app secret...
My app access token then immediately changed and when I try to use the old one I get a
HTTP 400 error with a message body...
{"error":{"message":"Invalid OAuth access token signature.","type":"OAuthException","code":190}}
My advice is save the access token and use it. Unless you get the message above in which case obtain a new one and use that. One thing that I have not checked yet is if you get the same result if the user access token (that you may be querying) has expired instead.
For each and every user token (which is what you're getting from your link), there is an expiration date. Take one of those tokens to https://developers.facebook.com/tools/debug and debug it. You will see that generally they expire within 60 minutes or so.
To extend that user token, call the exchange command (https://developers.facebook.com/docs/offline-access-deprecation/) to get it to become a 60 day token. That user token has to be still valid (not expired) to do this.