I am developing a Flutter application and I am using OAuth2 for authentication. The application can't be used if you are not logged in, it just shows a login screen and forces you to log in.
When I log in, I receive the following information from the authentication server:
access token
access token lifetime
refresh token
refresh token lifetime
When the access token is about to expire, I want to get a new one by sending refresh token to authentication server.
How would I implement the refresh token mechanism? I want to update the access token every time before it expires, even if user is not using the application (it is closed). If user needed to log in every time he opens the application, it would be very bad user experience. To avoid this, I want to refresh the token in background.
How can I achieve this to work on Android and iOS? Preferably without writing any native code for each of the platforms.
You can use Future.delayed to refresh the token before the expiration.
You can also run this part of code in background with background processes but your application must be in background.
Related
Facebook documentation states that
. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.
What does it mean that the person does not actually need to login? Does not he have to pass his credentials again? If not how does FB is authenticating the user and getting the refreshed access token?
Yes but you need that the user visits your web app. Then you check for login status, if it is "connected" you will get a new short-lived token without even making the user login again. That's because the token has information about apps already authorized by user. If not the case or the user hasn't login in FB then you need to call the login function.
Once you have the token you can create a new long-lived token again.
My extension needs to periodically send some data (in the background) to the the server with auth information about the user from FB. So I obvisouly need to send FB token with the data.
Right now I am opening https://www.facebook.com/dialog/oauth?client_id=<APP_ID>&response_type=token&redirect_uri=http://www.facebook.com/connect/login_success.html in a new tab, then retrivieng a token from a hash (using background page), then storing it in localStorage.
But lets say user closes his browser and opens it after the token expires. How should I retrieve a new one without user doing lots of additional clicks?
I'd suggest you should request long-lived token via your server and store that along with the calculated time of expiration that you can get from token debug API in the local storage. Then you refresh the token before it expires to avoid re-authentication.
I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.
A lot of apps keep user logged in until user manually logs out like facebook, dropbox, etc.
I am wondering how they achieve it? There might be several approaches:
1)Do they store the username and password in a local storage, and automatically log the user in when they open the app again after a long time?
2)Or do they get a long-lived token from the server, and once the user login at very first time, the app gets a token from the server, later on they just use the token? The token will be valid until user manually logout from the app.
For #1, it will only work for native login, if an app supports "log in with facebook or twitter" it won't work.
So I just want to get an idea about how people achieve this feature? Is there any articles talk about it?
Most services like Facebook and Twitter use OAuth to manage the user session.
I use this external framework... https://github.com/nxtbgthng/OAuth2Client
It took me a while of reading and setting up to get right but it works now.
When the user logs in they get an auth token that contains an expiry date. When the expiry date comes the system automatically refreshes the token.
When I send a request to the server I send it via the OAuth framework and it adds the authorisation automatically.
I am trying to get a long-lived Facebook Access Token so my java servlet app can monitor and retrieve messages and such for my users without reauthorizing every hour or two.
I am using the server side oauth flow and have everything working perfectly but am not able to get tokens that are good for more than a day.
The first user authorization call is:
https://www.facebook.com/dialog/oauth?client_id=-----&client_secret=-----&scope=read_mailbox,manage_pages&force=true&state=-----&redirect_uri=http%3A%2F%2F127.0.0.1%3A7101%2FeStarGlobal-eStarGlobal-context-root%2FOAuthCallback%3BJSESSIONID%3DvS9lP9JcF3B86zD99KVNGXzn2snKRl4V48lkJQD51cvXhpnLsT06%21-281618363%211342018780176%3FAuthSource%3D1%26AuthType%3D1%26EmployeeId%3D97
The user authorizes my app and I receive the code on my callback URL and call for my access token:
https://graph.facebook.com/oauth/access_token?client_id=-----&client_secret=-----&code=---code from above---&redirect_uri=http%3A%2F%2F127.0.0.1%3A7101%2FeStarGlobal-eStarGlobal-context-root%2FOAuthCallback%3BJSESSIONID%3DvS9lP9JcF3B86zD99KVNGXzn2snKRl4V48lkJQD51cvXhpnLsT06%21-281618363%211342018780176%3FAuthSource%3D1%26AuthType%3D1%26EmployeeId%3D97
I receive a valid token that is good for about 6800 seconds and try to exchange it for a longer lived token:
https://graph.facebook.com/oauth/access_token?client_id=-----&client_secret=-----&grant_type=fb_exchange_token&fb_exchange_token=---token from above---
I get the same token with a slightly shorter expiration seconds.
I have enabled: Remove offline_access permission on my Facebook App page. I do not have an Enhanced Security Dialogs setting.
I changed the App Type from Web to Native/Desktop and that extends the expiration to about 89000 seconds or a day.
Any ideas would be greatly appreciated!
You say ' I do not have an Enhanced Security Dialogs setting.'
If that means you're not using the enhanced dialog - you need to to get the long-lived tokens.
If that means you don't have the option there to switch between enhanced and the old version, then it's probably not relevant - you should have the new one then