I'm using 'dio' interceptor, and when I pass expired access token & refresh token it returns 400 error
Is there any way to handle this not to direct login page and make stay connected and also not to
save credentials in local storage
Related
I have a website in node js and react js. Whenever a user signIn on my website, they recieve a refresh token which is stored in an httpOnly cookie and an access token which is stored in the memory. When the access token expires I sent the refresh token in the request to get a new access token but I cannot understand where to store the refresh token. Should store it in my database because once the httpOnly cookie expires, there will be no way to get that back. So should I store it in the user object or in an array where all the referesh tokens are saved and whenever a request for new access token comes, I find the refresh token in that array and if it exists, I give them new access token.
Please suggest a safe way
It's better to store a refresh token locally. If the database would get hacked, the hacker would have unlimited access to the accounts using the refresh tokens. For more information, check out this post on Stack Overflow
Both access_token and refresh_token is stored on client end. This client end either could be browser or system (invoking the apis). For browser, you can store the refresh token in local storage or in other available options. For external systems, it could be secure storage which can be a database.
I am using JWT for authenticating users. I can see two types of tokens (access token to make requests to the back-end and refresh token) generated by JWT. So, my question is when the right is time to logout the user? The time when the access token expires or the time when the refresh token expires?
What is the better way to get the new access token using the refresh token endpoint according to the user's active or inactive state?
the refresh token exists so that your service can keep using the credentials of the user on their behalf even after the access token expires. so if you have a refresh token, there is no need to "logout the user" when their access token expires
A Refresh Token contains the information required to obtain a new Access Token or ID Token.
Typically, a user needs a new Access Token when gaining access to a resource for the first time, or after the previous Access Token granted to them expires.
https://auth0.com/docs/tokens/refresh-token/current
If you let the access token expire and do not use the refresh token to generate a new access token, the user will have to log in again if you would like to perform some action on their behalf (access a resources using their access token). The user is "logged out" when their refresh token expires. The user does not need to be active for you to use their refresh token
I'm using the .net api for v2 using the code flow scenario. I was under the impression that this is what you use to get a refresh token you can save and re-use to get new access tokens after the user authorizes your app once.
after a doing a call like below, I navigate the uri the call provides.
var redirect = DropboxOAuth2Helper.GetAuthorizeUri(OauthResponseType.Code, AppKey, RedirectUri, user.ConnectState);
I parse the result for the code parameter which I then feed to ProcessCodeFlowAsync(). That only works to get the access token once. If I save and try to use it again, I get "code has already been used : invalid grant" errors.
I thought what I was getting was a refresh token but repeatedly feeding it ProcessCodeFlowAsync is not working. How do I get a refresh token that I can use repeatedly to get access tokens without having to have the user authorize every time. I am cacheing and re-using the auth token not the access token by the way.
The Dropbox API doesn't use refresh tokens. Instead, you should just store and re-use the access token you get at the end of the app authorization flow.
The user or app can revoke an access token at any time though, so if/when API calls start failing due to a revoked access token, you can prompt the user to re-link the app if they want to continue using the integration, so the app can get a new token.
(The "code" you pass to ProcessCodeFlowAsync is an "authorization code", which is not re-usable.)
The accepted answer was probably correct at the time but Dropbox API now does support refresh tokens.
Check the Refresh token section here:
https://www.dropbox.com/lp/developers/reference/oauth-guide
My extension needs to periodically send some data (in the background) to the the server with auth information about the user from FB. So I obvisouly need to send FB token with the data.
Right now I am opening https://www.facebook.com/dialog/oauth?client_id=<APP_ID>&response_type=token&redirect_uri=http://www.facebook.com/connect/login_success.html in a new tab, then retrivieng a token from a hash (using background page), then storing it in localStorage.
But lets say user closes his browser and opens it after the token expires. How should I retrieve a new one without user doing lots of additional clicks?
I'd suggest you should request long-lived token via your server and store that along with the calculated time of expiration that you can get from token debug API in the local storage. Then you refresh the token before it expires to avoid re-authentication.
I am trying to provide authentication facility through third party single sign on provider like rpxnow. After login on every refresh of page I am not able to retrieve the cookies set by the provider so that I can delete them when user desires to log out?
Is there any other way to gracefully logout the user without trying to search for cookies etc., or releasing the token provided by them after authentication?
I had a workaround. I stored the token retrieved from single sign on site and onclick of logout deleted the token. Every call handler for each page was initiated by checking for validating for token variable in session.