In my Java/Ionic2 application, I request, through REST services, authentication to Google Drive with the refresh token, and then with access_type=offline, as described here: https://developers.google.com/identity/protocols/OAuth2WebServer#refresh.
The server responds 200 OK, so it gives me a refresh and an access token, only the first time I request access. If I try to redo all the authentication process with an already authorized account, from the same browser, even after logging out, the server response does not give me the refresh token, but only the access token. why? Did anyone have such a problem? Thanks
AFAIK, refresh tokens are only provided on the first authorization from the user. You should only obtain a refresh token if your access token have expired and you need new access tokens. As discussed in token expiration, you must write your code to anticipate the possibility that a granted token might no longer work. That's were you will need a refresh token.
See this SO post for additional insights.
Related
Here is the scenario:
Web App (webapp) authentication uses OAuth Authorization Server SSO
by setting spring.oauth2.sso.* properties.
User authenticates and webapp now have user credentials and access_token. Application then uses this token to call certain microservices on the backend.
When token expires it will eventually get 403 Unathorized.
Since we dont have refresh token should we just force user to login again?
What if we want user to stay logged in longer then token's TTL?
Any thoughts?
If I understand your question correctly, absent having a refresh token, the user will need to login again as this is the only way to get a new access token without it.
I have a mobile application talking to a backend. I am providing login to the app through LinkedIn. I checked the linkedIn api for oauth authentication and have followed the steps as given in this link
Oauth LinkedIn.
I am able to obtain the request token as per step 3. Now i am sending this request to my backend. In the backend i want to make sure that this request token is valid and has not expired.
How do i achieve this ? In FB authentication, they have provided an end point to which i post the access token (https://graph.facebook.com/app?access_token=)and it gives the expiry time, validity of token etc.
How do we do this with LinkedIn api, i searched their documentation, but no luck. Any help will be appreciated.
Thanks
There's no separate API that LinkedIn provides to inspect the token. However you do get a hint about the token expiry back in the response from the token endpoint when exchanging the code for an access_token in the expires_in parameter, e.g.:
{"access_token":"<>","expires_in":5183999}
which tells you that it is valid for 60 days. You could store that information together with the access token.
You can use "Token Introspection" endpoint to check the validity of your access token at any time.
https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection. Use Refresh token to refresh it before it expires.
How to extend life time of google account access token i used gwt-oauth2-0.2 to obtain an access token but problem is that it expires very soon .i want to get a token with extended life time preferably that does not expires.
Since this is GWT code, it's executed in the client using client-side JavaScript. It is not possible to get a long-lived access token from within client-side JavaScript. The issued tokens last 60 minutes currently-- and you can always get another token later without any user interaction (as the user has already approved the OAuth grant request). This should be sufficient for all client-side access to a user's data.
If you're comfortable using server-side code instead, you could use the OAuth 2.0 flow for server-side web applications, and specify access_type=offline. This gives you an authorization code passed as a query parameter-- you then make a server-to-server call to exchange the authorization code for an access token. The first time you exchange a code for a given user, you'll also get a refresh token. Although the access token will expire, the refresh token can be used indefinitely to obtain new access tokens for that user by simply making a server-to-server call.
My app uses Facebook Javascript SDK authorization on client side, and for authorized user app fetches access token from Facebook API, using facebook cookie with signed request and provided code, and store it into database.
Everything is working fine, but i'm wondering, when I should refresh stored access token? What if user have changes password, and have signed in/connected again.
As I understand, now she has new access token, and app should load it from Facebook. But how I can understand when I should check for a new token? Check on each request with facebook cookie doesn't work, because it's few request per second for each user (event if she didn't change a password). Or maybe i'm doing something wrong?
I mean:
I've authorized user on client side
I've cookie with signed request
Signed request is pretty enough to authorize user on server side (validate user credentials)
I can get access token by calling Facebook API, anytime when user user makes request to my app (because I need a code from signed request). So, i'm doing it when I don't have stored access token or existing access token has expired.
access token just stored in database, and can be used anytime, in different thread, maybe few minutes later (mean we don't have user request and cookie with signed request)
What if stored access token not expired, but invalidated on facebook side? I need to fetch new access token, but cookie has gone at this moment.
Currently I see only one way: store code from signed request into databse, and when we have found that we have invalid access token, try to load it. But i'm note sure that it's proper way, and not so much usable for most cases
You have client token and server token, the client one is short lived (a few hours) and the server one is long lived (60 days).
The token on the client side should not bother you too much since you can get a new one easily as it states in the "Handling Invalid and Expired Access Tokens" guide:
Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
The token on the server side, which you persist in the db, can not be as easily reproduced, the user has to be sent to the auth dialog again:
Desktop Web and Mobile Web apps which implement the server-side authentication flow
To obtain a fresh access token in this case you must pass the user
through the full server-side flow again: i.e. obtain a code and
exchange it for a new access token.
However, assuming the user has not de-authorized your application,
when you redirect the user into the OAuth Dialog, the user will not be
prompted to reauthorize your application, and will be immediately
redirected to your redirect_uri. This means that the re-authentication
process can appear transparent to the user.
You can of course send a client token to the server and persist that, but it's pretty pointless since it's short lived.
Another option is to use the new endpoint to extend a valid client token on the server side and then persisting that.
As for "how to know when do get a new token", on the server side when you are making api requests just check the response and see if an error returned and if so what it is (there's a list in the first url I added).
If the token has expired then just send the user to the auth dialog again (you can return some kind of code to the client side and do it from there) and then save the new token to the db.
There's no need to check cookies, those are used in the background but you should not have anything to do with them.
Edit
Don't use the cookies, they should not concern you at any time.
What you should do:
On the server side you should follow the instructions in the Server-Side auth guide, get the "code" and exchange it with a token.
That token will have 60 days.
Use that token, which you store in your db, as needed (other threads, what not) and when you are getting an error back from facebook saying that the token has expires just navigate the user back to the auth dialog page.
You can not use the "code" to get more than one token so that won't help you.
If the user session (and token) got invalidated (for various reasons) you will still get an error back from facebook when trying to make an api request, when that happens just send the user to the auth dialog again.
This is the access token associated with my Facebook application -- the thing that comes back from https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECRET. Can I get this once from FB and save it away somewhere for future use, or do I need to refresh it on a regular basis?
Access Token Tool - Facebook Developers
App tokens do not expire and should be kept secret as they are related to your app secret.
I don't know for sure, but since the documentation does not state that you get back an expiration time for the access token, I guess that it's an educated guess that it does not expire.
But why does it matter? the application authentication process is much simpler than the one with users, so just save the token somewhere (db, memory) and then try an api call, if it fails just issue one call to obtain a new token, save that, and continue as usual.
If you want a token to manage a page, never-expiring token can be obtained by
Get user token
Exchange user token to long-living token (Valid for 30days)
Obtain a page token with this user token (This page token is not going to expire)
When you check the token you've got, check it on Debugger. You will now see 'Expires Never'.
Documentation is on Facebook Developers ,Scenario 5: Page Access Tokens
My app access token does not seem to have changed for just under a month. I do not know if it changes. For fun I just changed my app secret...
My app access token then immediately changed and when I try to use the old one I get a
HTTP 400 error with a message body...
{"error":{"message":"Invalid OAuth access token signature.","type":"OAuthException","code":190}}
My advice is save the access token and use it. Unless you get the message above in which case obtain a new one and use that. One thing that I have not checked yet is if you get the same result if the user access token (that you may be querying) has expired instead.
For each and every user token (which is what you're getting from your link), there is an expiration date. Take one of those tokens to https://developers.facebook.com/tools/debug and debug it. You will see that generally they expire within 60 minutes or so.
To extend that user token, call the exchange command (https://developers.facebook.com/docs/offline-access-deprecation/) to get it to become a 60 day token. That user token has to be still valid (not expired) to do this.