i am using js sdk of kuzzle,
sometimes (after few days of running) all request fails and i get:
"Insufficient permissions to execute this action"
what's the best method to avoid it ?
Should i check the jwt token is still valid before request ?
or how to get notified of token expiration (i set it to 1 year) ?
This error message indicate that your current user does not have the permissions to execute this API action.
The error message is different when the anonymous user (default user when you are not authenticated) try to execute an API action that's need to be authenticated.
See the differences between error 401 and 403 here
About your authentication token, it's considered as a bad practice to have an authentication token that last a long period of time. (Even if Kuzzle authentication token can be revoked).
You should rather use the auth:refreshToken method to regularly refresh your authentication token)
Actually Kuzzle send a notification indicating that the current token is expired only when a subscription has been made to the realtime engine.
This will certainly be extended to any persistent connection made to Kuzzle in a next release.
Concerning your usecase, you may want to use an API key to authenticate your SDK instance. There are revocable and can have infinite duration.
Related
Please I would like to know how do I keep a user logged in using JWT through a REST API.
Because the token given by JWT expires within a particular time frame and within this time frame it could be possible that the user is still on the app.
I am thinking of allowing the client side application to make asynchronous requests when the token expires.
But the one would also make the client side stall a bit because the token is invalid.
If you have this kind of expiration time, you must renew the token before it expires. You need to add this feature to the client side code. It will be hard with a sync client. Another way is renewing it when the sync client runs on the error message about the expiration and resend the last request, so it can be added to the error handling. If so, then it can be generalized in the error handling code.
We have created a app that uses Azure AD authentication and now facing issue with acquiring refresh token using MSAL library.
The issue that when ever authentication token expires(I believe expiry time is 1hr), I get HTTP status code 200 with HTML response which is Microsoft's login page.
I believe we should be getting 400 or 401 when token expires but somehow we are getting 200 with HTML response.
We have also used AcquireTokenSilent() method suggested in following guide but nothing changes.
https://learn.microsoft.com/ja-jp/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=macOS
Microsoft authenticator allowing user to login.
Does anyone have any idea on how to troubleshoot this issue?
Thanks in advance
400 code means bad request and 401 means Unauthorized. In case of token expire you should get 401 ( Unauthorized ). MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS. MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. You're likely not getting automatic silent refreshes due to some kind of token cache miss. It's hard to say the specific issue without seeing your code
In your backend you can first check if the user is authenticated if it is then return the response. If not, then instead of executing the method you should return 401 (Unauthorized).
I'm trying a simple request to sandbox:
https://sandbox-api.uber.com/v1.2/requests/current
with token generated with my account: tristan.tran89#gmail.com and get a 403: forbidden error.
Same request with a different account does not return a forbidden. Can someone please verify why it's being blocked on my account?
That is typically what the 403 error indicates. Strictly it is saying that the token you sent does not have access to the resource. This could mean it's been corrupted, it expired, or the user revoked access.
If the current application is the one that booked the trip then requests/current should be able to be accessed.
In your case, you are calling GET v1.2/requests/current with an access token that has the request scope but not the all_trips scope. That means that the endpoint will respond with the current trip only if it was booked by your application. In the case that the user is on a current trip but it was booked by another application or the Uber app, you will get a 403. In the more common case that the user is not on a trip at all, you will get a 404.
If you wanted to be able to give status updates for any trip that a user takes, you would want to get the all_trips scope during OAuth.
I am trying to connect with microsoft live account with my website. I got offline refershtoken and accesstoken with expiration time by using documentation of microsoft.
Now the Question is how to check the token is valid(Expired) or not? Which url is giving the answer?
The response that returns the access_token and refresh_token should also contain an expires_in value that you can use to calculate how long the access_token should be cached. Once the cached token gets close to expiration you can trigger a preemptive refresh.
However, even with a preemptive refresh your application should be on the lookout for 401 responses from the OneDrive API, and use those as a trigger for a refresh. If you want to make a request solely to validate the current token is still good you could hit something like the following - but it won't tell you how long it has left, only whether it's ok at this instant:
HEAD https://api.onedrive.com/v1.0/drive
I have application that continuously running in background. The app uses UCWA REST api. After authentication I get OAuth token and some expiration time. Authentication docs say "The lifetime of a token is eight (8) hours for authenticated users. The client application should monitor the expiration time and refresh the token as required".
So, when is it required to refresh token? What expiration time should I have in reserve when starting refreshing token? 1, 10 or 60 minutes? What are OAuth best practices?
The response from ticket service will provide the user with the OAuth token, type of token, and an expiration value. This value is measured in seconds which means you can divide out minutes (60) or hours (3600) to get a value that you can expect requests to start failing with 401 Unauthorized. Monitoring is most useful when the application is using anonymous meeting join because the token expiration is much shorter, ~1 hour, and it is the only authentication mechanism to directly offer renewing a token.
This leads to two potential approaches:
If using anonymous meeting join
Check expiration value found in authentication response and start a timer less than the expected value (maybe 1-3 min less)
When timer expires refresh the OAuth token
If not using anonymous meeting join
Send requests until a 401 occurs
Check response headers for WWW-Authenticate and send another authentication request to get new token
Re-issue request with new token
It is better to wait for the 401 to come before taking action to refresh the token in a non-anonymous meeting join scenario.