We have created a app that uses Azure AD authentication and now facing issue with acquiring refresh token using MSAL library.
The issue that when ever authentication token expires(I believe expiry time is 1hr), I get HTTP status code 200 with HTML response which is Microsoft's login page.
I believe we should be getting 400 or 401 when token expires but somehow we are getting 200 with HTML response.
We have also used AcquireTokenSilent() method suggested in following guide but nothing changes.
https://learn.microsoft.com/ja-jp/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=macOS
Microsoft authenticator allowing user to login.
Does anyone have any idea on how to troubleshoot this issue?
Thanks in advance
400 code means bad request and 401 means Unauthorized. In case of token expire you should get 401 ( Unauthorized ). MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS. MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. You're likely not getting automatic silent refreshes due to some kind of token cache miss. It's hard to say the specific issue without seeing your code
In your backend you can first check if the user is authenticated if it is then return the response. If not, then instead of executing the method you should return 401 (Unauthorized).
Related
i am using js sdk of kuzzle,
sometimes (after few days of running) all request fails and i get:
"Insufficient permissions to execute this action"
what's the best method to avoid it ?
Should i check the jwt token is still valid before request ?
or how to get notified of token expiration (i set it to 1 year) ?
This error message indicate that your current user does not have the permissions to execute this API action.
The error message is different when the anonymous user (default user when you are not authenticated) try to execute an API action that's need to be authenticated.
See the differences between error 401 and 403 here
About your authentication token, it's considered as a bad practice to have an authentication token that last a long period of time. (Even if Kuzzle authentication token can be revoked).
You should rather use the auth:refreshToken method to regularly refresh your authentication token)
Actually Kuzzle send a notification indicating that the current token is expired only when a subscription has been made to the realtime engine.
This will certainly be extended to any persistent connection made to Kuzzle in a next release.
Concerning your usecase, you may want to use an API key to authenticate your SDK instance. There are revocable and can have infinite duration.
I am asking maybe an open question about REST authentication practice. We use OpenID to authenticate with REST API. However there are some API where we do POST with body that also contain a secret (to support certain business rules). Now, if that secret is wrong am I still fine to return a 401 error? Does REST prescribe (like HTTP does) where token, password, secret should go in a REST call (e.g. always in HTTP Authorization header...)?
thanks
The 401 Unauthorized error is an HTTP status code that means the page you were trying to access cannot be loaded until you first log in with a valid user ID and password. If you have just logged in and received the 401 Unauthorized error, it means that the credentials you entered were invalid for some reason.
I am working on putting an application together that uses PayPal's REST APIs, starting with the invoicing API.
I am used to getting an Access Token and a Refresh Token with other implementations of OAuth 2.0 (ie, Google, MS, etc), but it seems PayPal has done away with Refresh Tokens in this instance.
Could I get some clarification? When the original access token expires, should I just request a new one? Or should I be receiving a refresh token as well and refreshing the Access Token using that?
Thanks!
Referenece: Access token validity and expiration
As the document mentioned, you should request a token and reuse it until it expires. Don't request a new token per session (and actually you will still get a same one before the one expires). It means that you should only request a new token when you meet a HTTP 401 response, and replace the old token with the new one.
I am trying to connect with microsoft live account with my website. I got offline refershtoken and accesstoken with expiration time by using documentation of microsoft.
Now the Question is how to check the token is valid(Expired) or not? Which url is giving the answer?
The response that returns the access_token and refresh_token should also contain an expires_in value that you can use to calculate how long the access_token should be cached. Once the cached token gets close to expiration you can trigger a preemptive refresh.
However, even with a preemptive refresh your application should be on the lookout for 401 responses from the OneDrive API, and use those as a trigger for a refresh. If you want to make a request solely to validate the current token is still good you could hit something like the following - but it won't tell you how long it has left, only whether it's ok at this instant:
HEAD https://api.onedrive.com/v1.0/drive
I logged into the API explorer and authorized my dummy company file here: http://idsapiexplorer.cloudapp.net/V2QBD#api
It is indicating everything is ok:
When I try to make a request, I keep getting the following response:
Here is the ErrorDesc:
<ErrorDesc>message=Exception authenticating OAuth; errorCode=003200; statusCode=401; source=OAuthStrategy; oauth_problem=token_rejected; cause=net.oauth.OAuthProblemException: token_rejected</ErrorDesc>
I'm guessing I'm probably not using this correctly. Is there any more documentation I can read to learn? Or is there an actual problem happening that is causing this error? Any help is appreciated.
The error means the token was not found, expired or invalid.
I would try refreshing your access token and you should be all set.
thanks
Jarred