Using the App Console, I am generating an Access Token for use by my java application.
Why is my access token expiring? It worked yesterday but today I get the below error.
How do I get a permanent token for my application to use? (Usage is similar to a "Google Service Account" that generates a permanent token.)
Exception:
InvalidAccessTokenException
{
"error_summary": "expired_access_token/...",
"error": {
".tag": "expired_access_token"
}
}
UPDATE 2022 12 02:
Thanks for the below information and links. After about 5 hours of working on wrapping my brain around the concepts and the example code, I finally got something working by doing the following:
(1) Using the example code and manual process at https://github.com/dropbox/dropbox-sdk-java/blob/main/examples/examples/src/main/java/com/dropbox/core/examples/authorize/ShortLiveTokenAuthorize.java I obtained an auth code.
(2) I then wrote java code to post the auth code to the https://api.dropbox.com/oauth2/token end point and receive tokens including the refresh token.
(3) I then wrote code to post the refresh token to the same end point to receive an access token.
It appears I can hold on to the refresh token and repeat step 3 to get access tokens each time.
HOWEVER, I must be missing something here.
This is WAY too much extra work that should be done either by the App Console and/or the SDK.
Also, it seems to me that a “Client Credentials Flow” should be available in the API and SDK.
Your thoughts?
Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.
The official Dropbox Java SDK can actually handle the process for you automatically, as long as you supply the necessary credentials, e.g., as shown retrieved in the examples here.
Related
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil
I'm making an application that among it's task will use the REST API in KeyVault. I already have functions written that will query the KeyVault for the secret without an issue.
I also have functions written to request an OAuth token from AAD, following the documentation on this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
What I'm not sure about is; Since the application is going to be installed on hundreds of computers when a token expires and the function to refresh the token is called chances are that more than one PC is going to make the POST. What is the best practice for a scenario like this? Should i just configure an exponential back off after a refresh token function is called?
The app installed on the machines will not have the ability to talk to each other.
The only way I can think to do this is to use a logic app as the broker but that would defeat the purpose of the KeyVault.
The document you provided is using the code grant flow to acquire the access token. This flow requires users to login to acquire the token. And did you mean all the PC you installed will use the same account to acquire the token?
If yes, you can design you own token cache. For example, you can using an SQL server to store the cache. Then the app will search the token/refresh token in the token cache before it sends the token request. And if the token is expired, you can refresh it. In this scenario, all PC will share the same access token since they are sign-in with same account.
If not, you need to refresh for the every PC when the access token is expired. Because the access token is different from each user.
So after some testing and verifying with MS it looks like the documentation on the link is outdated. When a token is generated it has a lifetime of 8 hours (this is configurable) so every time I make a request to /token a new token is handed out, since the time window is small I don't need to worry about token refreshes since PCs won't be on for over 8 hours.
The other part of this is that i built a function to test the validity of the existing token, before i query any azure service i test the token validity, if it fails a new token is requested. Since the token lifetime windows are short and each machine gets it's own token (i thought all machines were getting the same token, code error on my part) this is a non-issue anymore
I have a web app built on oAuth2 that has been in production for 5+ years. Users Authenticate and Authorize with Google and grant my application access to the Google Analytics data.
All of a sudden I am seeing a surge in failures when refreshing my users oAuth2 tokens. This is the call:
https://accounts.google.com/o/oauth2/token
Passing these parameters:
client_id=xxyyzz
client_secret=xxyyzz
grant_type=refresh_token
refresh_token=xxyyzz
This seems to be be on accounts that are less active (i.e. it could be 15+ days between instances where we make calls on their behalf). I have to reach out to them and have them "ReAuthorize" against Google to get things working.
1) Did something recently change with Google oAuth2 or the GA Core Reporting API?
2) If access tokens are not refreshed after some time period will my refresh token become invalid? i.e. should I make calls against all accounts even thought I don't need the data; just to keep the refresh token from going stale?
Thanks,
Mark.
Update on Scope
It was requested to provide the scopes in play here:
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/analytics.readonly
11/17/2016 Update:
We did find an issue that resulted in some tokens being purged. We are working on to make sure it doesn't happen again. Unfortunately there is no way to restore the tokens that were deleted and your users will have to reauthorize again.
11/11/2016 update:
We are actively investigating the issue. You should ask your users to re-authorize the application.
(from Google Identity/Auth team) We would like to investigate this a bit more to make sure our system is working as intended. Other than the token revocation (with certain scopes) on password change, we haven't changed the token revocation policy.
Would you please ping me via my G+ profile?
We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh
I'm working on a project and a new Beats Music API library for Clojure, but in my testing I'm finding it difficult to get write access authentication, but read-only user authentication works fine.
In testing my library I set up a HTML page to do the OAuth and get the OAuth code and then feed that code in to my library to fetch the actual authentication token. The first part works flawlessly, the second part has the dreaded "Developer Inactive" error:
URL: /oauth/token
PARAMS: client_secret, client_id, redirect_uri, code, grant_type=authorization_code
METHOD: post (application/x-www-form-urlencoded)
I've double checked my redirect_uri is the same as defined in my app settings and is the url of the HTML page I generated the code with. I even checked with the support folks to double check that my application wasn't throttled or something, but that took too long and I made a second application and had the exact same results. I've looked at other support questions like this and nothing has helped, so unless I'm missing something in my auth request, my only other thought was that my user account is still on it's 14-day trail and maybe that is affecting my auth token in some way?
Any ideas or suggestions would be greatly appreciated.
From https://developer.beatsmusic.com/docs/read/getting_started/Client_Side_Applications
"The scope of an access token using the implicit flow is limited to read only since client side applications cannot keep a secret. You'll need to request the authorization grant flow via the Web Server Authentication for write permissions, such as updating a playlist."
I hope this helps.
As #jsd pointed out in a comment on my question, there was a typo in the url endpoint. The correct endpoint is (which I had in the other function and that's why it was working correctly):
/oauth2/token