I understand that i can fetch web services client token through the url
https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=SERVICESHORTNAME
and it works. I am getting a token and private token.
but i do not see a refreshtoken url. I can see the expiry date through moodle admin account.
Does anyone how to refresh moodle token?
what is the use of private token?
Thanks
It looks like there's no inbuilt functionality to refresh a token like the OAuth 2 spec. You would need to call the login/token.php again if your API call fails.
Unfortunately the login/token.php file only returns the token and may return the private token (Private token, only transmitted to https sites and non-admin users.). From the client's perspective there's no way to know when the token will expire.
References:
https://github.com/moodle/moodle/blob/master/login/token.php
https://github.com/moodle/moodle/blob/master/lib/externallib.php#L1034
Related
In my Java/Ionic2 application, I request, through REST services, authentication to Google Drive with the refresh token, and then with access_type=offline, as described here: https://developers.google.com/identity/protocols/OAuth2WebServer#refresh.
The server responds 200 OK, so it gives me a refresh and an access token, only the first time I request access. If I try to redo all the authentication process with an already authorized account, from the same browser, even after logging out, the server response does not give me the refresh token, but only the access token. why? Did anyone have such a problem? Thanks
AFAIK, refresh tokens are only provided on the first authorization from the user. You should only obtain a refresh token if your access token have expired and you need new access tokens. As discussed in token expiration, you must write your code to anticipate the possibility that a granted token might no longer work. That's were you will need a refresh token.
See this SO post for additional insights.
Here is the scenario:
Web App (webapp) authentication uses OAuth Authorization Server SSO
by setting spring.oauth2.sso.* properties.
User authenticates and webapp now have user credentials and access_token. Application then uses this token to call certain microservices on the backend.
When token expires it will eventually get 403 Unathorized.
Since we dont have refresh token should we just force user to login again?
What if we want user to stay logged in longer then token's TTL?
Any thoughts?
If I understand your question correctly, absent having a refresh token, the user will need to login again as this is the only way to get a new access token without it.
I have a mobile application talking to a backend. I am providing login to the app through LinkedIn. I checked the linkedIn api for oauth authentication and have followed the steps as given in this link
Oauth LinkedIn.
I am able to obtain the request token as per step 3. Now i am sending this request to my backend. In the backend i want to make sure that this request token is valid and has not expired.
How do i achieve this ? In FB authentication, they have provided an end point to which i post the access token (https://graph.facebook.com/app?access_token=)and it gives the expiry time, validity of token etc.
How do we do this with LinkedIn api, i searched their documentation, but no luck. Any help will be appreciated.
Thanks
There's no separate API that LinkedIn provides to inspect the token. However you do get a hint about the token expiry back in the response from the token endpoint when exchanging the code for an access_token in the expires_in parameter, e.g.:
{"access_token":"<>","expires_in":5183999}
which tells you that it is valid for 60 days. You could store that information together with the access token.
You can use "Token Introspection" endpoint to check the validity of your access token at any time.
https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection. Use Refresh token to refresh it before it expires.
Is it possible to renew the long-term oauth token for facebook before it expires, and if so, how is that accomplished? So far it seems facebook will only give back the old token with the same expiration date.
Edit: using server-side authentication, and not finding in the docs specific info on how to request a new short lived token and exchange it for a long-term token using server-side workflow.
https://developers.facebook.com/docs/authentication/server-side/
how is that accomplished?
By getting a new short-lived user access token first, and then sending it to the endpoint for extension.
So I have an app that needs to access public info, but needs an auth token. Specifically, I want to get the comments from public pages, and that requires an access token. Ideally, I'd like some sort of "global" auth token, since I'm not trying to access anything that isn't public anyway. Is there any way to have an app-level auth token?
Yes, you can authenticate as an application instead of using the user.
http://developers.facebook.com/docs/authentication/applications/