i want to use MS graph api, i have CODE, and i need to exchange code for access token, when i post request, like in docs i get this answer
{
"token_type": "Bearer",
"scope": "mail.read mail.send user.read user.read.all",
"expires_in": 3599,
"ext_expires_in": 0,
"access_token": "blah blah blah ..... §§&&##"
}
and this token will expire in 1 hour, i found, that i need refresh_token to extend token next time, but i havent got any in response with access_token
any solution?
Thanks
Looking at the documentation for Active Directory Tokens, you need to request the offline_access scope in your authorization code request and your token request.
Related
I'm trying to use instagram api to show #'s on my webpage but i need to generate user token for instagram tester. I followed the documentatio (created an application, use my page url, sent invitation for instagram tester and accepted it) but when i click on generate token for instagram tester it displays a pop-up window to allow permissions, then it shows nothing. I tried with another account, creating a different application but the result is the same.
Facebook token generator seems to be broken, but you can generate your own long-lived access token following OAuth2 workflow (replace {} placeholders with your own values):
In your browser, go to:
https://api.instagram.com/oauth/authorize?client_id={your-client-id}&client_secret={your-client-secret}&redirect_uri={a-valid-redirect-url}&scope=user_profile,user_media&response_type=code
Login to your Instagram account and accept your application to access your data
You should be redirected to {a-valid-redirect-url}?code=xxxxx#_ then copy to {code} query string value without the #_ at the end
Use Postman to execute a POST request to https://api.instagram.com/oauth/access_token with x-www-form-urlencoded params
client_id: {your-client-id}
client_secret: {your-client-secret}
grant_type: authorization_code
redirect_uri: {a-valid-redirect-url}
code: {the code you extracted from query string}
You should get a short-lived access-token response such as:
{
"access_token": "IGQVxxxxxxxxxx…",
"user_id": xxxxxxxxxx
}
Exchange your short-lived access-token with a long-lived one: use Postman to execute a GET request to https://graph.instagram.com/access_token with query params:
client_id: {your-client-id}
client_secret: {your-client-secret}
grant_type: ig_exchange_token
access_token: {the short-lived access_token}
You should get a long-lived access-token response such as:
{
"access_token": "IGQxxxxx…",
"token_type": "bearer",
"expires_in": 5169852
}
I'm using Keycloak with Google as identity provider. I need a refresh token from Google in order to manage the calendar of users. Here are my Keycloak Google IDP settings:
After login I fetch the refresh token according to https://www.keycloak.org/docs/latest/server_development/index.html#retrieving-external-idp-tokens. Which looks like this:
{
"access_token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"expires_in": 3599,
"refresh_expires_in": 0,
"refresh_token": "YYYYYYYYYYYYYYYYYYYYYYYYYYYY",
"token_type": "Bearer",
"id_token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
"not-before-policy": 0,
"scope": "openid https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
"accessTokenExpiration": 1593706596
}
Now the problem is when I login a second time and then try to fetch the refresh token again it's gone:
{
"access_token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"expires_in": 3599,
"refresh_expires_in": 0,
"token_type": "Bearer",
"id_token": "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
"not-before-policy": 0,
"scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
"accessTokenExpiration": 1593706782
}
I'm really not sure how this is possible. One thing that came to my mind is that Keycloak is not respecting the "Request refresh token" setting on subsequest logins, but I don't know how to verify this.
It's not a Keycloak bug, it's a Google specification. The refresh_token is only provided on the first authorization from the user. Here the documentation of this behavior:
refresh_token: A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access. Again, this field is only present in this response if you set the access_type parameter to offline in the initial request to Google's authorization server. - source
If you want to get the refresh token again you must:
Go to the page showing Apps with access to your account: https://myaccount.google.com/u/0/permissions.
Under the Third-party apps menu, choose your app.
Click Remove access and then click Ok to confirm
The next OAuth2 request you make will return a refresh_token (providing that it also includes the 'access_type=offline' query parameter.
related to this answer
I'm trying to perform a request in Microsoft Graph like this one with Postman
https://graph.windows.net/<Tenant>/users?api-version=1.6
For the Authorization, I'm using Bearer. I'm retrieving the token manually and decoding it here https://jwt.io/ That way I know that it's well formed and that it's not expired yet.
However, I'm getting the following error on the response:
{
"odata.error": {
"code": "Authentication_ExpiredToken",
"message": {
"lang": "en",
"value": "Your access token has expired. Please renew it before submitting the request."
}
}
}
What am I doing wrong?
You an try Get App-Only Access Token with the Microsoft Graph POST API:
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
https://developers.facebook.com/docs/facebook-login/using-login-with-games/
they claim the json object is
{
"oauth_token": "{user-access-token}",
"algorithm": "HMAC-SHA256",
"expires": 1291840400,
"issued_at": 1291836800,
"user_id": "218471"
}
but i got this
{
"algorithm": "HMAC-SHA256",
"code": "xxxxxx",
"issued_at": 1291836800,
"user_id": "218471"
}
Remark:
my app is in sand box mode
Permission: email; user_about_me; user_birthday; user_interests; user_location; user_games_activity
Does anybody know how to fix it?
Whenever someone has already logged into your game with Facebook
Login, the signed request will contain an oauth_token property that
gives you a token to use to make API calls.
you should be handling the login using JavaScript SDK not by the POST date that is sent on launching the canvas app.
IF you are disparate to get some info before he logs in you should exchanging code for an access token
To get an access token, make an HTTP GET request to the following OAuth endpoint:
GET https://graph.facebook.com/oauth/access_token?
client_id={app-id}
&redirect_uri={redirect-uri}
&client_secret={app-secret}
&code={code-parameter}
you use ajax with that to prevent page from refreshing .
There's only thing that server has to do; just check any access token's validity.
Clients send to the server user id and access token obtained by FB.getLoginStatus. As I expected, there would be any URL that checks access token's validity, like http://xxx.facebook.com/access_token?=xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
That returns whether it's available one or not or is there any API (server side) for that?
The officially supported method for this is:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
See the check token docs for more information.
An example response is:
{
"data": {
"app_id": 138483919580948,
"application": "Social Cafe",
"expires_at": 1352419328,
"is_valid": true,
"issued_at": 1347235328,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": 1207059
}
}
You can simply request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid.
Unfortunately this will only tell you if your token is valid, not if it came from your app.
Just wanted to let you know that up until today I was first obtaining an app access token (via GET request to Facebook), and then using the received token as the app-token-or-admin-token in:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
However, I just realized a better way of doing this (with the added benefit of requiring one less GET request):
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app_id}|{app_secret}
As described in Facebook's documentation for Access Tokens here.
Simply request (HTTP GET):
https://graph.facebook.com/USER_ID/access_token=xxxxxxxxxxxxxxxxx
That's it.
The app token can be found from this url.
https://developers.facebook.com/tools/accesstoken
I found this official tool from facebook developer page, this page will you following information related to access token - App ID, Type, App-Scoped,User last installed this app via, Issued, Expires, Data Access Expires, Valid, Origin, Scopes.
Just need access token.
https://developers.facebook.com/tools/debug/accesstoken/
Exchange Access Token for Mobile Number and Country Code (Server Side OR Client Side)
You can get the mobile number with your access_token with this API https://graph.accountkit.com/v1.1/me/?access_token=xxxxxxxxxxxx. Maybe, once you have the mobile number and the id, you can work with it to verify the user with your server & database.
xxxxxxxxxx above is the Access Token
Example Response :
{
"id": "61940819992708",
"phone": {
"number": "+91XX82923912",
"country_prefix": "91",
"national_number": "XX82923912"
}
}
Exchange Auth Code for Access Token (Server Side)
If you have an Auth Code instead, you can first get the Access Token with this API - https://graph.accountkit.com/v1.1/access_token?grant_type=authorization_code&code=xxxxxxxxxx&access_token=AA|yyyyyyyyyy|zzzzzzzzzz
xxxxxxxxxx, yyyyyyyyyy and zzzzzzzzzz above are the Auth Code, App ID and App Secret respectively.
Example Response
{
"id": "619XX819992708",
"access_token": "EMAWdcsi711meGS2qQpNk4XBTwUBIDtqYAKoZBbBZAEZCZAXyWVbqvKUyKgDZBniZBFwKVyoVGHXnquCcikBqc9ROF2qAxLRrqBYAvXknwND3dhHU0iLZCRwBNHNlyQZD",
"token_refresh_interval_sec": XX92000
}
Note - This is preferred on the server-side since the API requires the APP Secret which is not meant to be shared for security reasons.
Good Luck.