re-usable refresh tokens for dropbox api? - dropbox-api

I'm using the .net api for v2 using the code flow scenario. I was under the impression that this is what you use to get a refresh token you can save and re-use to get new access tokens after the user authorizes your app once.
after a doing a call like below, I navigate the uri the call provides.
var redirect = DropboxOAuth2Helper.GetAuthorizeUri(OauthResponseType.Code, AppKey, RedirectUri, user.ConnectState);
I parse the result for the code parameter which I then feed to ProcessCodeFlowAsync(). That only works to get the access token once. If I save and try to use it again, I get "code has already been used : invalid grant" errors.
I thought what I was getting was a refresh token but repeatedly feeding it ProcessCodeFlowAsync is not working. How do I get a refresh token that I can use repeatedly to get access tokens without having to have the user authorize every time. I am cacheing and re-using the auth token not the access token by the way.

The Dropbox API doesn't use refresh tokens. Instead, you should just store and re-use the access token you get at the end of the app authorization flow.
The user or app can revoke an access token at any time though, so if/when API calls start failing due to a revoked access token, you can prompt the user to re-link the app if they want to continue using the integration, so the app can get a new token.
(The "code" you pass to ProcessCodeFlowAsync is an "authorization code", which is not re-usable.)

The accepted answer was probably correct at the time but Dropbox API now does support refresh tokens.
Check the Refresh token section here:
https://www.dropbox.com/lp/developers/reference/oauth-guide

Related

Storing access tokens and handling their expirations

I'm using OAuth as:
a secondary method to sign users into my web application (rather than manually providing their name, email and password)
a way to receive to receive user data throughout the website.
What would be considered best practice when storing access tokens? I have two options:
Store access tokens in cookies
Store access tokens in a database
What are the advantages and disadvantages of either choice?
Regarding token expirations, what should be done to handle this?
One way I know I could handle this is by checking whether there was an error when calling the API and so requesting a new token and then calling the API again. However when requesting a new token, will I require the user to sign back in again? I would imagine this would be a problem when a page on my website requires data from Facebook, but to retrieve it, users have to log back in.
I don't understand how other websites manage to maintain access to Facebook, Google or Twitter APIs without requiring me to log back in again, especially when I'm on another device where I haven't once logged in to Facebook, Twitter or Google. How do they do this? Thanks.
If authentication is done using Google OAuth2.0. Google provides two tokens namely, Access Token and Refresh Token.
Access tokens have limited lifetime for 3600 seconds , but refresh tokens are valid for longer period of time.
Refresh token also expire. Read "Token expiration" section of the Google OAuth2.0 link
One can obtain new access token from refresh token without re-login. ReST api
So, one can have logic implemented to check for time elapsed after access token was generated and take precautionary steps for new access token generation.
Google tokens expire in 3600 seconds, so one can get access token say after every 3500 seconds and update the older access token stored with new one for further use. Also one other way could be, to set refresh token in GoogleCredential which is passed as parameter(httpRequestInitializer) while creating the service of any api.(For example look for Drive.Builder)
If you are not storing refresh token from which access token can be regenerated, you have to authenticate again to get new token.

Facebook Access Token is Expired using Facebook SDK PHP

I am trying to link my application to a facebook user account but every time I go through the process of retrieving their profile I get this error:
string(140) "{
"error":{
"message":"An active access token must be used to query information about the current user.",
"type":"OAuthException",
"code":2500
}
}"
The reason I am confused is that when I initially request an access_token from facebook it return a token for me.
string(56) "access_token={app_id}|{app_secret}"
Which I am then told is expired and I don't know why.....
I understand in order to get an access token you must follow a particular workflow.
Client Requests access and permissions via SDK and Login Dialog.
User Authenticates and approves permissions
Access token returned to client
Graph API calls with short-term access token (web) or long-term access token (native mobile)
Based on what I've seen in my code, I get to step 3 but step 4 fails because the token is said to be expired. Does anyone have any idea what I can do to fix this!?
I notice that for step 1 the login dialog is never shown but I still get an access code returned despite this. Could that be something to do with it? This is the way I perform step 1.
<a class="lists" href="https://graph.facebook.com/oauth/authorize?client_id=564083793722908&redirect_uri=<?=urlencode($facebook_callback_url)?>&scope=offline_access,publish_stream,status_update">Connect a Facebook account</a>
Step 2. never seems to occur
Step 3. An access token is returned though. See above.
Step 4. Fails with the above error of expiration.
Any advice?
You cannot request user information with an app access token. You need a usser access token to do that. Your Login process needs to adhere the docs at
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1#login
to get a user access token. Apparantly, this is not the case with your code.
Furthermore, you're only using permissions which are (long) deprecated. See
https://developers.facebook.com/docs/facebook-login/permissions/v2.1#adding
https://developers.facebook.com/docs/facebook-login/permissions/v2.1#reference

Google Account access token

How to extend life time of google account access token i used gwt-oauth2-0.2 to obtain an access token but problem is that it expires very soon .i want to get a token with extended life time preferably that does not expires.
Since this is GWT code, it's executed in the client using client-side JavaScript. It is not possible to get a long-lived access token from within client-side JavaScript. The issued tokens last 60 minutes currently-- and you can always get another token later without any user interaction (as the user has already approved the OAuth grant request). This should be sufficient for all client-side access to a user's data.
If you're comfortable using server-side code instead, you could use the OAuth 2.0 flow for server-side web applications, and specify access_type=offline. This gives you an authorization code passed as a query parameter-- you then make a server-to-server call to exchange the authorization code for an access token. The first time you exchange a code for a given user, you'll also get a refresh token. Although the access token will expire, the refresh token can be used indefinitely to obtain new access tokens for that user by simply making a server-to-server call.

Does a Facebook application's access token expire?

This is the access token associated with my Facebook application -- the thing that comes back from https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECRET. Can I get this once from FB and save it away somewhere for future use, or do I need to refresh it on a regular basis?
Access Token Tool - Facebook Developers
App tokens do not expire and should be kept secret as they are related to your app secret.
I don't know for sure, but since the documentation does not state that you get back an expiration time for the access token, I guess that it's an educated guess that it does not expire.
But why does it matter? the application authentication process is much simpler than the one with users, so just save the token somewhere (db, memory) and then try an api call, if it fails just issue one call to obtain a new token, save that, and continue as usual.
If you want a token to manage a page, never-expiring token can be obtained by
Get user token
Exchange user token to long-living token (Valid for 30days)
Obtain a page token with this user token (This page token is not going to expire)
When you check the token you've got, check it on Debugger. You will now see 'Expires Never'.
Documentation is on Facebook Developers ,Scenario 5: Page Access Tokens
My app access token does not seem to have changed for just under a month. I do not know if it changes. For fun I just changed my app secret...
My app access token then immediately changed and when I try to use the old one I get a
HTTP 400 error with a message body...
{"error":{"message":"Invalid OAuth access token signature.","type":"OAuthException","code":190}}
My advice is save the access token and use it. Unless you get the message above in which case obtain a new one and use that. One thing that I have not checked yet is if you get the same result if the user access token (that you may be querying) has expired instead.
For each and every user token (which is what you're getting from your link), there is an expiration date. Take one of those tokens to https://developers.facebook.com/tools/debug and debug it. You will see that generally they expire within 60 minutes or so.
To extend that user token, call the exchange command (https://developers.facebook.com/docs/offline-access-deprecation/) to get it to become a 60 day token. That user token has to be still valid (not expired) to do this.

Facebook authentication and Ajax

I am building a Facebook application, and using the oAuth 2.0 protocol for authentication/authorization.
When a user first visits my app I am using the protocol and store the access token in order to make future requests to the Graph API. The problem occurs when the access token expires and the user is using ajax.
When the ajax request is sent I try to retrieve information from the Graph API using the access token, but since it expired I get a JSON saying the access token is invalid. Now, I can send a response back to the client saying the access token expired and on the client side I can redirect him to https://www.facebook.com/dialog/oauth to go through the authentication process again. However, since the whole process is in Ajax, redirecting the user will hurt the usability of the application.
Is there any other way I can use the protocol to get a new access token without needing to redirect the user's browser to get a new access token? Maybe something on the server side?
You just need to ask for the offline_access permission, then your access_token will not expire.
As Rafael notes, you can ask the user for offline_access and then the token should never expire. However, in practice, the access token does expire when a user changes their password or uninstalls/reinstalls your app, so you'll need to build a way for the user to reauthenticate themselves so you can update their token. I suggest redirecting them to a login page that should (ideally) just send them right back where you tell them to go without them having to do anything, and using deep linking to put them right back in your app where they left off.
I'm encountering this issue as well. One solution I came up with is as follows:
Create an async method called isAccessTokenValid()
Invoke isAccessTokenValid() before any method that will require FB interaction
If access_token has expired. save the current uri to the session, along with any form data entries (if any), and start the re-authentication process again.
Once the user has re-authenticated, bring up the stored uri.
This is a bit dirty, but I haven't seen a cleaner solution yet.