I'm using OAuth as:
a secondary method to sign users into my web application (rather than manually providing their name, email and password)
a way to receive to receive user data throughout the website.
What would be considered best practice when storing access tokens? I have two options:
Store access tokens in cookies
Store access tokens in a database
What are the advantages and disadvantages of either choice?
Regarding token expirations, what should be done to handle this?
One way I know I could handle this is by checking whether there was an error when calling the API and so requesting a new token and then calling the API again. However when requesting a new token, will I require the user to sign back in again? I would imagine this would be a problem when a page on my website requires data from Facebook, but to retrieve it, users have to log back in.
I don't understand how other websites manage to maintain access to Facebook, Google or Twitter APIs without requiring me to log back in again, especially when I'm on another device where I haven't once logged in to Facebook, Twitter or Google. How do they do this? Thanks.
If authentication is done using Google OAuth2.0. Google provides two tokens namely, Access Token and Refresh Token.
Access tokens have limited lifetime for 3600 seconds , but refresh tokens are valid for longer period of time.
Refresh token also expire. Read "Token expiration" section of the Google OAuth2.0 link
One can obtain new access token from refresh token without re-login. ReST api
So, one can have logic implemented to check for time elapsed after access token was generated and take precautionary steps for new access token generation.
Google tokens expire in 3600 seconds, so one can get access token say after every 3500 seconds and update the older access token stored with new one for further use. Also one other way could be, to set refresh token in GoogleCredential which is passed as parameter(httpRequestInitializer) while creating the service of any api.(For example look for Drive.Builder)
If you are not storing refresh token from which access token can be regenerated, you have to authenticate again to get new token.
Related
I am building an application that does not have a client interface.
At the setup step: The user logs into the server throught a browser once using oauth, and the server makes sure that the client is identified.
From this point on, no browsers are invlovled. It all happens in the background.
It then keeps acting on behalf of the user for as long as the user can be validated.
That means that once in a while, my server needs to call the oauth provider to validate the user still exists.
Until now, I have only used google oauth: Once in a while, I would call the refreshtoken api, and get a new token indefinitely from the server side. (you need to ask for "offline access" when you get the user token).
Now I would like to use facebook as well, but reading their APIs, I see no mention of a possibility for a server to refresh it's tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/
It looks like it all has to be done from the client device.
As I have no client device, does this mean that I cannot write this sort of app with facebook?
I think your scenario can be covered through Facebook's mechanism. But you need to support a re-login if some error occur while using long lived access token. This can happen due to security measure taken by Facebook (ex:- data breach, cryptographic breach) or when user revoke tokens or change password or when tokens are not used for a longer time.
Steps to follow (According to their docs),
Obtain a User access token
These are short lived
Short-lived tokens usually have a lifetime of about an hour or two
Exchanging Short-Lived Tokens for Long-Lived Tokens
These have life span of around 60 days, even when they are not used.
long-lived token generally lasts about 60 days.
Basically, once you obtain a long lived token, you can use it from the server application. During this process, you required a client which used browser only to obtain short lived access token.
But as previously mentioned, these tokens can expire,
These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
So you will require to obtain new ones by going through above two steps.
I'm implementing a connect with Facebook/Twitter/... functionality on a website. The idea is that once a user connects his account with the external services our website could post messages on behalf of the user.
With Twitter there is no problem as the OAuth access_token doesn't expire. But with FB it does expire every two months, when the user logouts, changes password or explictly deauthorizes the app.
How should I handle the token expiration? For me it would be ideal if I could refresh the token automatically without bothering the user, but unless I've missed something it seems there isn't any way of doing this. So, right now I've two ideas:
The less akward way: every time the user logins to the website check if the tokens have expired and notify the user that she has too reauthorize the app.
The more akward way: every time the "post to social networks" event triggers in our website, check if the tokens have expired and ask the user to reauthorize.
The first option would be easier to implement and cleaner to the user.
So, how are you handling this situations?
Thanks!
I think that I'll trye the first option:
User logs in
The server checks if the user has already a Facebook token, if so:
Check if it's still a valid token. http://developers.facebook.com/docs/howtos/login/debugging-access-tokens/
If the token expired NOT because the user deauthorized the app BUT because the other cases we redirect the user to the OAuth endpoint.
I'll give it a try and update this answer if there is more to it.
If the user is actually interacting with your website, you should be getting a fresh access_token (read below). If you perform offline tasks related to the user using the Facebook API then you should be storing the access_token and their expiry dates. Then you need to handle expired access tokens and ask the user to interact with your app again and update your records.
You should refer to this document. Also you should be reading the Extending Access Tokens document:
Step 2. Refreshing Long-lived User Access Tokens
At any point, you can generate a new long-lived token by repeating the
original auth flow, obtaining a new short-lived token and then
performing the same exchange as above. In some cases, this newer
long-lived token can be identical to the previous one, but we do not
guarantee this will be true and your app shouldn't depend upon it.
I'm making a facebook application that will scan a users' news feed on a daily basis - but the offline access token has been deprecated.
I know that the access token can be extended to 60 days. So if a user doesn't use my application for 60 days, would I be not able to access their information after that?
I read the developers section but didn't understand it properly.
That's exactly the point. You'll need to code your app to run through an authentication flow if the access token expires. Remember, the access token can expire for other (legitimate) reasons, other than timeout. If you're not asking for new permissions, and need to grab a new access tokens, the flow should happen without any user actions required.
You'll need to code for access tokens failing regardless of offline_access - so do it right! :)
How to extend life time of google account access token i used gwt-oauth2-0.2 to obtain an access token but problem is that it expires very soon .i want to get a token with extended life time preferably that does not expires.
Since this is GWT code, it's executed in the client using client-side JavaScript. It is not possible to get a long-lived access token from within client-side JavaScript. The issued tokens last 60 minutes currently-- and you can always get another token later without any user interaction (as the user has already approved the OAuth grant request). This should be sufficient for all client-side access to a user's data.
If you're comfortable using server-side code instead, you could use the OAuth 2.0 flow for server-side web applications, and specify access_type=offline. This gives you an authorization code passed as a query parameter-- you then make a server-to-server call to exchange the authorization code for an access token. The first time you exchange a code for a given user, you'll also get a refresh token. Although the access token will expire, the refresh token can be used indefinitely to obtain new access tokens for that user by simply making a server-to-server call.
This is the access token associated with my Facebook application -- the thing that comes back from https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECRET. Can I get this once from FB and save it away somewhere for future use, or do I need to refresh it on a regular basis?
Access Token Tool - Facebook Developers
App tokens do not expire and should be kept secret as they are related to your app secret.
I don't know for sure, but since the documentation does not state that you get back an expiration time for the access token, I guess that it's an educated guess that it does not expire.
But why does it matter? the application authentication process is much simpler than the one with users, so just save the token somewhere (db, memory) and then try an api call, if it fails just issue one call to obtain a new token, save that, and continue as usual.
If you want a token to manage a page, never-expiring token can be obtained by
Get user token
Exchange user token to long-living token (Valid for 30days)
Obtain a page token with this user token (This page token is not going to expire)
When you check the token you've got, check it on Debugger. You will now see 'Expires Never'.
Documentation is on Facebook Developers ,Scenario 5: Page Access Tokens
My app access token does not seem to have changed for just under a month. I do not know if it changes. For fun I just changed my app secret...
My app access token then immediately changed and when I try to use the old one I get a
HTTP 400 error with a message body...
{"error":{"message":"Invalid OAuth access token signature.","type":"OAuthException","code":190}}
My advice is save the access token and use it. Unless you get the message above in which case obtain a new one and use that. One thing that I have not checked yet is if you get the same result if the user access token (that you may be querying) has expired instead.
For each and every user token (which is what you're getting from your link), there is an expiration date. Take one of those tokens to https://developers.facebook.com/tools/debug and debug it. You will see that generally they expire within 60 minutes or so.
To extend that user token, call the exchange command (https://developers.facebook.com/docs/offline-access-deprecation/) to get it to become a 60 day token. That user token has to be still valid (not expired) to do this.