Access tokens only last a few hours and must be "refreshed" on a regular basis. According to the developer documentation a "refresh_token" is user to do this, however I am unable find where one obtains a refresh_token. Can anyone help?
Related
Is it possible to create a public OAuth Client id that never expires in Smartsheet using their simple developer account they provide?
They provide trial accounts, but my concern is what happens with the OAuth client when the account expires? Will the client expire to?
Developer accounts are fully featured and can participate in the OAuth flow.
The account would need to remain active for the client id to continue working. Trial accounts are just that - trials, so naturally you wouldn't want to setup anything permanent with an account you don't intend to keep.
You might be confusing client ids (essentially an identifier for your app) with access tokens? The client id would remain the same for the life of your app. Access tokens would need to be refreshed periodically. See the documentation for details.
As far as I thought, Instagram does not invalidate access tokens based on their documents. But for a few users of the thousands using one of my applications built on their API, that does not seem to be the case.
I originally referred to the following SO question when initially building the application, and a few others - but I came to the conclusion (or so I thought) that Instagram does not invalidate tokens, which does not seem to be true: Instagram access token expire
Our application makes requests on behalf of a user at specific times of the day. It is an application that users may only need to ever log into once to utilize the service.
Here, for example is a user who signed up 4 days ago - his service was working great until this morning, when testing his access token we were receiving this response:
{"meta": {
"error_type": "OAuthAccessTokenException",
"code": 400,
"error_message": "The access_token provided is invalid."
}}
Why would this be happening on an access token that was valid 4 days ago? We asked the specific user this error is being returned for if he revoked access to our application or anything along those lines, and he did not.
I'm curious if perhaps he changed his IG password which invalidated his access tokens for applications (Although that doesn't seem likely as to what would cause this?)
Does anyone else have experience with Instagram applications randomly invalidating access tokens?
Also, note that 99% of users who have been using our application for a month or more have never had this issue. We've only encountered 3 to 5 other accounts this has happened with.
It's not really random. In fact an access token can be invalided in this 2 cases:
the user changed his password or where forced to do so (when IG thinks your account has been compromised).
they deleted the app the access token is linked to. (Or IG forces the app to be deleted if they suspect spam behavior)
But they do not expire from time.
From own experience the token can expire if:
the user removes the app
the Instagram account gets temporary locked which can happen if the Instagram user logs in from an unknown device/location (e.g. another country). The user is being asked to confirm identity by inserting an SMS code.
The second scenario is probably an Instagram bug. Why would the app token expire each time the account gets temporary locked? Would like to get an answer from Instagram as well.
NOTE: The token does not expire if user changes password.
Primary question:
Is there any (supported/non-hacky) way to use Quickbooks Online and Customer Account Data APIs without involving a browser at all, i.e. making an API request from a server?
Commentary:
The IPP docs only mention saml and 3-legged oauth, which seems to imply that any authentication and subsequent api calls must come from a browser.
Note that this is not satisfactorily answered by this:
How can I use API to get quickbooks data without browser based OAUTH?
, as that answer:
is not by Intuit and does not point to an Intuit source
suggests a hacky solution: a user/browser authenticates, after which the oauth/etc. credentials are stored and reused. This seems like a particularly bad idea for long-term use unless explicitly approved by Intuit, due to the fact that the apis may (and probably will) expire any oauth/saml tokens at some point.
No, to get accessToken and accessSecret you need to use a browser.
As you have mentioned, your 2nd option is the only way to achieve this. i.e reusing stored tokens.
PN - OAuth tokens are valid for 180 days. Before the token expires, your app can obtain a new token to provide uninterrupted service by calling the Reconnect API. You can automate this part by writing a small program which will call ReconnectAPI when tokens are older than 150 days.
Ref - Manage OAuth Tokens
You can generate OAuth tokens(for the very first time) from here - IPP OAuth Playground
CAD
Here, OAuth tokens are valid for 1 hour. After an hour, your application will have to issue another SAML assertion again to request a new OAuth token to use. The token should only be persisted during your user's session, and then destroyed.
Ref - CAD SAML
Thanks
is there a possibility to check when a fb-token will expire?
I've read Authenticating as an app and Handling invalid and expired access tokens and searched the interwebs for an answer but I couldn't find any.
Regards, Senad
The good news is, there's an endpoint for it now.
You can retrieve the information related to a particular Access Token by issuing a GET request to the debug_token connection. Something like:
GET /debug_token?
input_token={input-token}&
access_token={access-token}
You can get more information about it in the Getting Info about Tokens and Debugging reference.
Unfortunately there's no specific endpoint that will tell you if an access_token is still valid or not, but you can use the token to fetch anything and see if it return an error or not.
However if you are using the server side flow for authentication, they will send you an expire parameters that will hold the time in seconds that the token will remain valid (the sdk may hide this fact from you).
But as the Handling invalid access tokens page explains, there's a number of reasons why an access_token can go invalid so the expire field alone won't be able to tell you if the token is valid at the moment or not, so the only way to find out is to try using it and see if its returns an error, as the Handling expired... page states, you will have to be prepared for any graph request return errors.
You can manually check it here for a given access token:
https://developers.facebook.com/tools/debug
I am working with Oauth2.0. In that i could able get the access_token and instance_url. Is there any expiry time for these two.
Can I store them and use it for all my REST calls without getting the new access_token and the instance_url. Is it possible for me to use it for long hours or even days.
The access token is only valid for the length of a session (as defined in the Salesforce Org's settings — I believe the longest this can be is 8 hours without activity), as it's actually a session ID, that said, you should also be given a refresh token. The refresh token has a much longer lifetime and can be used to authenticate the user once the session has expired, without them having to enter any credentials — this allows you to do it in the background without them even having to concern themselves with the login process.
model metrics do a good job of explaining the token flow here.