Lets and there is an application which used SSO authentication.
There is a login in application which says that user should be logout in 1 hour.
On the other hand SSO provider expiration is 90 days.
What is the common best practice? Should be expiration given by SSO provider setting or app setting?
Related
I have four custom apps (that are SPs), using Auth0 or OneLogin as my IdP. In Auth0 I create a connector for each application. When I login to one application and then open the other application, I get redirected to Auth0 to login again.
Is it possible to log the user into my IdP (or Auth0/OneLogin) automatically on that second app without having to click the login button on Auth0, since they've already authenticated with Auth0?
There is an unfortunate need to embed the second app into the first app and it's a poor UX to have the user login to the first app and then login again in the iFrame.
Auth0 Dev here, Yes this is supported Out of the box in Auth0, for this to work you'd have to turn Use Auth0 as IdP "ON" in your Client. When doing this Auth0 will then remember the client for 10 hours upto 3 days if the client is active.
The flow in your scenario will be
User logs in to any of the application.
User visits the other application.
The other application sees no session.
The other application redirects to /authorize endpoint.
Auth0 notices the session and redirects it back to your application immediately.
This is further detailed and explained at https://auth0.com/docs/sso
SSO is not having to re-enter credentials again but you only get SSO once you redirect to the IDP and you authenticate under the hood i.e. seamlessly.
So you still have to do something to trigger the redirect.
You could programmatically redirect to a dummy page that requires authentication that then redirects via your client stack e.g. OWIN OIDC.
Also, there is no standard for the cookies so you don't get SSO across multiple IDP unless they are federated together.
So if no federation and you login to Auth0, you will still have to login to OneLogin.
Here is the scenario:
Web App (webapp) authentication uses OAuth Authorization Server SSO
by setting spring.oauth2.sso.* properties.
User authenticates and webapp now have user credentials and access_token. Application then uses this token to call certain microservices on the backend.
When token expires it will eventually get 403 Unathorized.
Since we dont have refresh token should we just force user to login again?
What if we want user to stay logged in longer then token's TTL?
Any thoughts?
If I understand your question correctly, absent having a refresh token, the user will need to login again as this is the only way to get a new access token without it.
I am working on collaborative web platform by ruby on rails and it's connected with facebook app (v2) by Koala gem..
When a user register by facebook account, there is facebook token (expire after 60 days)
The questions:
1- when and how renew the token in normal cases?
2- Can I renew token for 60 days again before end validity of the token?
3- Can I renew token automatically when user used his account in app with old session (without new sign in), or the user must sign out and sign in again to renew token?
I show this answer, but the tokens of users doesn't renew automatically when users visit to site with old sessions (without signin), do I have to finish their sessions automatically to force them to sign in again?
1 - When the user visits your App again
2 - Afaik you can only refresh them after the old one is not valid anymore. Not entirely sure about that though, as i have never tried.
3 - You can only renew the token with user interaction. if it would be possible to auto-renew, there would be no need for short- and long-living tokens at all.
Btw, renewal is very easy with the JavaScript SDK, by just calling FB.getLoginStatus on page load. In general, try to avoid using Tokens while the user is offline.
I created facebook app, now access token is for 60 days but i want to extend never expires access token .if you have any information please let me know.
There is no such thing as an access token that 'never expires'. Please read the Access Token Documentation. The best you can do is to get a token which is valid for 60 days and extend it after it has expired.
Native mobile applications using Facebook's SDKs will get long-lived
access tokens, good for about 60 days. These tokens will be refreshed
once per day when the person using your app makes a request to
Facebook's servers. If no requests are made, the token will expire
after about 60 days and the person will have to go through the login
flow again to get a new token.
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.
I have a an application which will make posts on multiple user profile pages and Fan Pages.
To obtain permission to do this, the app will process a client side auth and obtain the short-lived access token for each user who uses the app.
My app will then immediately exchange that for a 60 day long-lived access token, and store this for future use in a local DB. The app will then be able to update that users profile and pages for up to 60 days, whether the user is logged into FB or not.
The next bit is the important bit:
Each time the user uses my app, my app will test the validity of the current access token, in case the user has changed their password etc, or the 60 days have elapsed.
If the access token is no longer valid, my app will seek to obtain a new one.
If the user is not logged into Facebook at this point, it is my understanding that I will have to prompt a login and force a client side auth, to obtain a new short-lived access token which I will have to exchange for a new 60 day long-lived token.
Is this correct? ie that the user has to login again? ie there is not way to process the access_token update on the server side?
Also, is it the case the the 60 day expiry only applies in respect of user access tokens, and does not apply in respect of page access tokens?
thx
Is this correct? ie that the user has to login again? ie there is not way to process the access_token update on the server side?
No. You need a valid short-lived user access token first, and that you get through the process of client-side login.
Also, is it the case the the 60 day expiry only applies in respect of user access tokens, and does not apply in respect of page access tokens?
Correct, page tokens do not expire by default, if they where obtained using a long-lived user access token.