Somehow I managed to reduce default access token lifetime to 30 minutes. This made tokens to expire or invalid after 30 minutes. Now the problem is few users already got refresh tokens along with access token before and using those to get access token again after token expiration like
POST https://login.microsoft.com/tenantid/oauth2/v2.0/token?&client_id:appid&grant_type:refresh_token&refresh_token: refresh token&client_secret: client secret
I don't want this to happen. Removing offline_access scope won't give refresh token anymore. But what about the refresh tokens that users already got. How to make those refresh tokens invalid so that users cannot use them to get access tokens that makes more secure. Even if they use, it should throw some error instead of giving access tokens.
How to make this happen? Anyone tried this before?
To invalidate all refresh tokens, you can make use of below query:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and added API permissions by granting consent like below:
I got refresh token along with access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: offline_access user.read.all
code:code
redirect_uri: https://jwt.ms
client_secret: secret
Response:
Using this refresh token, I'm able to get access token like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To revoke these refresh tokens, I ran below query in Graph Explorer by granting consent to required permissions:
POST https://graph.microsoft.com/beta/users/<user_id>/invalidateAllRefreshTokens
Response:
Now when I tried to get the access token again with existing refresh token, I got error like below as refresh token is revoked:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: 0.AVYA_in0zaI3eUqOQHrbrD-FUv //paste the refresh token that I got above
client_secret:client_secret //Mandatory if client is web app
Response:
To do the same from PowerShell, you can make use of below command:
Revoke-AzureADUserAllRefreshToken -ObjectId <userID>
Reference:
Revoke-AzureADUserAllRefreshToken (AzureAD)
Related
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension#extendingpagetokens
After reading through this documentation I was under the impression that I could get a token that never expired if I requested a short lived access token with the scope manage_pages however when I follow the documentation and use the following to get an extended token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Then I place the token inside of the debugger: https://developers.facebook.com/tools/debug/accesstoken/
I get the following response:
The closest I've found to what I'm doing is this: How do you get long-lived access tokens from the Facebook Graph API (server-side auth)?
Perhapse is it another scope they requested that I didn't?
Also another thing I noticed is that due to not being a live app these are the "permissions" I have, of which manage_pages isn't one. However how could any new product work if the app needs to exist before it can function????
any and all help appreciated
Go to Facebook Graph API Explorer get your short-lived access token.
Go to Access Token Debugger, debug your short-lived access token from Step1, click the extend button at the bottom, you will get a long-lived token
Go to Facebook Graph API Explorer again, now use your long-lived token from Step2, request path /me/accounts, find the corresponding token for your target page in response data
to make sure it is the never expire token you need, debug it by Access Token Debugger
Ref: https://sujipthapa.co/blog/generating-never-expiring-facebook-page-access-token
In my Java/Ionic2 application, I request, through REST services, authentication to Google Drive with the refresh token, and then with access_type=offline, as described here: https://developers.google.com/identity/protocols/OAuth2WebServer#refresh.
The server responds 200 OK, so it gives me a refresh and an access token, only the first time I request access. If I try to redo all the authentication process with an already authorized account, from the same browser, even after logging out, the server response does not give me the refresh token, but only the access token. why? Did anyone have such a problem? Thanks
AFAIK, refresh tokens are only provided on the first authorization from the user. You should only obtain a refresh token if your access token have expired and you need new access tokens. As discussed in token expiration, you must write your code to anticipate the possibility that a granted token might no longer work. That's were you will need a refresh token.
See this SO post for additional insights.
All I can get is a Anonymous user token through the dev test users area on Facebook. So when I fire a POST to auth with my web application using the said token I get:
"error parsing": "Facebook.FacebookOAuthException: (OAuthException - #100) (#100) Tried accessing unexisting field (friends) on node type (AnonymousUser
Do I have to generate the token in code with the permissions request set, or is there a quicker way?
Have you creeated your test users via the endpoint
POST /{app-id}/accounts/test-users
as described in https://developers.facebook.com/docs/graph-api/reference/app/accounts/test-users#publish
I guess you have to manually "friend" two test users first, as describes here: https://developers.facebook.com/docs/graph-api/reference/test-user/friends I don't think that if you create a new test user, he'll automatically have some friends.
I assume you have registered an app at Facebook and you have your application client_id and client_secret.
Here are the steps to obtain an access token # Facebook and how you can use it:
https://graph.facebook.com/oauth/authorize?redirect_uri={your_redirect_uri}&client_id={your_client_id}
If you are not logged in Facebook, you will be redirected to Login page at FB. Upon successful login, you will be redirected to your redirect_uri(in the first request) and a query param code in the URI
Copy that code(auth_code) - it will be used to obtain an access token.
https://graph.facebook.com/oauth/access_token?redirect_uri={your_redirect_uri}&client_id={your_client_id}&client_secret={your_client_secret}&code={auth_code}
as a response you will receive an access token
Then you can use that access token to obtain your FB profile, for instance:
GET https://graph.facebook.com/me
plus Authorization: Bearer {access_token}
When an event is created on our system I want to create the event on Facebook via our page. This is an entirely server-side process with no user interaction.
I've linked my page to my app, grabbed the "app token" for my application from https://developers.facebook.com/tools/access_token and tried to create an event by POSTing to /mypage/events but I just get (OAuthException - #1) An unknown error has occurred.. I'm assuming app tokens don't have access to create events for my page.
I can use a page token but this expires after 60 days and I'll have to keep updating the token. Is there a way to have this token last forever? I can renew it in code but it requires a user access token.
What's the best way to go about this?
You cannot use an app token to create an event on behalf of a page. You must use a page token and if you follow scenario 5 listed at https://developers.facebook.com/roadmap/offline-access-removal/, the page token will have no expiry.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
i need to extend my facebook access token, I'm calling this:
https://graph.facebook.com/oauth/access_token?
client_id={MY PAGE ID}&
client_secret={THE SECRET KEY OF MY APP}&
grant_type=fb_exchange_token&
fb_exchange_token={AN ACCESS TOKEN FOR MY PAGE}
and I'm getting this error:
"error": {
"message": "Error validating application. Cannot get application info due to a system error.",
"type": "OAuthException",
"code": 101
}
I've seen a lot of problem with that access_token, but none answer relative to pages, idk why facebook use api that why... but is the way...
Thank you,
To get a long-lived access token you need to follow those steps:
Create an Application
Create a Page (your account need to be "administrator" of the page)
Associate the application to the Page (the same way you do it when you want to add a Page Tab to a Page)
http://facebook.com/add.php?api_key=*YOUR_APP_ID*&pages=1&page=*YOUR_PAGE_ID*
Get a short-lived access token with the permission "manage_pages" associated to your Application.
https://graph.facebook.com/oauth/authorize?client_id=__APP_ID__&scope=manage_pages&redirect_uri=http://www.facebook.com/connect/login_success.html
then
https://graph.facebook.com/oauth/access_token?client_id=__APP_ID__&redirect_uri=http://www.facebook.com/connect/login_success.html&client_secret=__APP_SECRET__&code=__CODE_FROM_PREVIOUS_REQUEST__
Using the Graph API Explorer with the request /me/accounts you can see the access tokens for each Pages that you are administrator. The problem is that those access token are short-lived.
Convert your short-lived access token to a long-lived (extending access token):
https://graph.facebook.com/oauth/access_token?client_id=_APP_ID_&client_secret=_APP_SECRET_&grant_type=fb_exchange_token&fb_exchange_token=_ACCESS_TOKEN_ON_STEP_4_
You can now test your new access token with the Access Token Debugger.
Scenario 5: Page Access Tokens
When a user grants an app the manage_pages permission, the app is able
to obtain page access tokens for pages that the user administers by
querying the [User ID]/accounts Graph API endpoint. With the migration
enabled, when using a short-lived user access token to query this
endpoint, the page access tokens obtained are short-lived as well.
Exchange the short-lived user access token for a long-lived access
token using the endpoint and steps explained earlier. By using a
long-lived user access token, querying the [User ID]/accounts endpoint
will now provide page access tokens that do not expire for pages that
a user manages. This will also apply when querying with a non-expiring
user access token obtained through the deprecated offline_access
permission.
https://developers.facebook.com/roadmap/offline-access-removal/