I am trying to connect with microsoft live account with my website. I got offline refershtoken and accesstoken with expiration time by using documentation of microsoft.
Now the Question is how to check the token is valid(Expired) or not? Which url is giving the answer?
The response that returns the access_token and refresh_token should also contain an expires_in value that you can use to calculate how long the access_token should be cached. Once the cached token gets close to expiration you can trigger a preemptive refresh.
However, even with a preemptive refresh your application should be on the lookout for 401 responses from the OneDrive API, and use those as a trigger for a refresh. If you want to make a request solely to validate the current token is still good you could hit something like the following - but it won't tell you how long it has left, only whether it's ok at this instant:
HEAD https://api.onedrive.com/v1.0/drive
Related
I'd like to implement a Facebook authentication that does not perform traditional oauth redirects. It doesn't play nicely with my single-page-application and GraphQL API.
On the JS side, I can invoke FB.login to trigger a dialog for the user to login. If this is successful, I receive an object containing an accessToken and a signedRequest.
signedRequest can be decoded on the server and it spits out a code for me. I can use code with /oauth/access_token to get an accessToken.
However, I already had the accessToken this whole time from the FB.login response. So my question is: is there any point of me decoding the signed request, if I had the access token this whole time?
Bonus: Why does the FB API provide a signed request in the first place, and why does the oauth redirect by default forward the code and not an accessToken?
Yes, you can use the token you got from the client-side login, directly on the server.
It might however be a short-lived one, whereas the server-side login flow should give you a long-lived one right away. If you only need to perform API calls while the user is active on your page, the short-lived one will probably do. (And it could still be exchanged for a long-lived one with a server-side API call, https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing)
Why does the FB API provide a signed request in the first place
It also contains a bit more info, that might be useful for a client-side app (user id, token expiry, externally passed in data in case of the old “Canvas” type apps), and might save on one additional API call to get that kind of info. https://developers.facebook.com/docs/reference/login/signed-request/
and why does the oauth redirect by default forward the code and not an accessToken?
General security measure. The token contained directly in the return URL, could easily be stolen by 3rd-party scripts that might be embedded on that page (ad servers etc. can get hacked from time to time, too), or leaked as part of the HTTP referrer.
The code parameter requires your app secret for the API call that exchanges it for a token, so if the code were to leak in any such way, whoever else got their hands on it, can’t do anything with it.
I'm learning making API Requests from a mobile app.
An API that I am using, returns an access_token, expires_in and refresh_token when making a login request.
I'm trying to understand the whole logic behind the access token idea, been looking all over the internet and cannot find a good example nor a good explanation.
As far as I am aware,
The best method for making API requests is:
1) Store the expires_in internally on the device
2) On every request first check if the token is expired
3) If so, then request a new one using the refresh token
4) Otherwise make the request
Is this right?
Your flow is basically correct.
If it is a JWT token, you can decode it. Inside you can find some properties, check here.
What you can do is use the iat property of the token, this contains the time when the token was issued (you can't rely on the received date from the WS) add the expiration time to that date, this will be the expiration date.
If you are using Alamofire is pretty easy, there are 2 protocols:
RequestAdapter
RequestRetrier
By using a combination of the two can you easily refresh your token, in the request adapter you can throw an error if the token is expired, in the retrier you can intercept this specific error and make a refresh token request.
It is explained here.
So this is a random question that I can't seem to see an answer to.
I'm using Token based auth in my application. When the login credentials are first sent to the system, a token is returned. That token is then required with each and every request afterwards. When the token expires, a refresh token is used to determine if a new one should be issued. All pretty basic stuff.
What I've noticed is that the token isn't returned to the client with each web call. As in, client sends a message to the server with the token, server sends a response, but doesn't include the token unless it has been refreshed. Now, obviously thanks to client-side storage the token is still available.
My question is whether or not it is a best practice to return the token with each and every response, even if it is unchanged. Or if this really isn't a big deal and I can just stop worrying about it.
Thanks in advance.
Generally no, the response should not contain the token as it's unnecessary at that point - the user has already been authenticated for that specific request and appropriate actions have been taken (either a 200 with data or 401 or whatever).
It is the responsibility of the client to know the token when making a request.
I am working with Oauth2.0. In that i could able get the access_token and instance_url. Is there any expiry time for these two.
Can I store them and use it for all my REST calls without getting the new access_token and the instance_url. Is it possible for me to use it for long hours or even days.
The access token is only valid for the length of a session (as defined in the Salesforce Org's settings — I believe the longest this can be is 8 hours without activity), as it's actually a session ID, that said, you should also be given a refresh token. The refresh token has a much longer lifetime and can be used to authenticate the user once the session has expired, without them having to enter any credentials — this allows you to do it in the background without them even having to concern themselves with the login process.
model metrics do a good job of explaining the token flow here.
Part of my app requires login and is not able to use client-side authentication with javascript etc, so requests authentication server-side using http request on:
https://graph.facebook.com/oauth/access_token?client_id=[app_id]&client_secret=[secret]&redirect_uri=[uri]&code=[code]
This works fine, most of the time. However I intermittently get timeout/null responses back from this request. I can run a tool which will request this page over and over, and will succeed about 80-90% of the time. As soon as one failure occurs, all requests fail, for any user, for a few seconds and then it works again.
Has anyone else experienced something like this, or do you know if there is a cap on requests which facebook will cut off over a certain threshold? I can't find any information that sounds similar in the documentation.
It is because if you send too much requests, facebook thinks you want to make a DDOS attack and block your requests for a while.
You must retreive the token only once for your session. Other way it certainly turning FB defending against throtting.
However, if you're not apply for 'offline_access' special permission, your token has expiration time.
Default is retentionPeriod=2 and retentionUnit=hour.
maybe you should ask for
scope=offline_access
into your permission, then only retreive the user token once.
In addition you need to perform a
try{my api call} catch(bad token){ reload the new token and retry }
which is re-ask the token if any API call failed with authenticaion error.
In app Insights, you can check API throtting from diagnostics page, and also most common errors from performance page. If you don't see any error or nothing been throttled, you could probably change the app logic, request the token again if you get timeout/null responses.