I have a mobile application talking to a backend. I am providing login to the app through LinkedIn. I checked the linkedIn api for oauth authentication and have followed the steps as given in this link
Oauth LinkedIn.
I am able to obtain the request token as per step 3. Now i am sending this request to my backend. In the backend i want to make sure that this request token is valid and has not expired.
How do i achieve this ? In FB authentication, they have provided an end point to which i post the access token (https://graph.facebook.com/app?access_token=)and it gives the expiry time, validity of token etc.
How do we do this with LinkedIn api, i searched their documentation, but no luck. Any help will be appreciated.
Thanks
There's no separate API that LinkedIn provides to inspect the token. However you do get a hint about the token expiry back in the response from the token endpoint when exchanging the code for an access_token in the expires_in parameter, e.g.:
{"access_token":"<>","expires_in":5183999}
which tells you that it is valid for 60 days. You could store that information together with the access token.
You can use "Token Introspection" endpoint to check the validity of your access token at any time.
https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection. Use Refresh token to refresh it before it expires.
Related
I understand that i can fetch web services client token through the url
https://www.yourmoodle.com/login/token.php?username=USERNAME&password=PASSWORD&service=SERVICESHORTNAME
and it works. I am getting a token and private token.
but i do not see a refreshtoken url. I can see the expiry date through moodle admin account.
Does anyone how to refresh moodle token?
what is the use of private token?
Thanks
It looks like there's no inbuilt functionality to refresh a token like the OAuth 2 spec. You would need to call the login/token.php again if your API call fails.
Unfortunately the login/token.php file only returns the token and may return the private token (Private token, only transmitted to https sites and non-admin users.). From the client's perspective there's no way to know when the token will expire.
References:
https://github.com/moodle/moodle/blob/master/login/token.php
https://github.com/moodle/moodle/blob/master/lib/externallib.php#L1034
I'm using the URL below to get the auth token:
https://www.facebook.com/dialog/oauth?client_id=CLIENT_ID&redirect_uri=RETURN_URL&scope=manage_pages,publish_stream
This page will redirect to another URL with the code token in query string. I'm using this code token to get the Page access token automatically and publish to the Page 'offline'.
In recent days, it seems that Facebook has changed the expiration time of this token code.
I am able to use this token once. The time expiration is very short. Anyone know if there really was a change in facebook? Is there any other alternative to work with this?
This was part of the December 5th changes on the Roadmap: the code can only be exchanged for an access_token once and must be exchanged within 10 minutes of generation.
New security restrictions for OAuth authorization codes We will only
allow authorization codes to be exchanged for access tokens once and
will require that they be exchanged for an access token within 10
minutes of their creation. This is in line with the OAuth 2.0 Spec
which from the start has stated that "authorization codes MUST be
short lived and single use". For more information, check out our
Authentication documentation.
If you're unsure how to log users in correctly because you were relying on the old, incorrect behaviour, ensure you're using the newest SDKs and read the Login documentation in detail, specifically the Server Side Login documentation which shows how to exchange the code for a token
Once you have the token, save it using whatever session storage mechanism your app uses (PHP SDK will store it in a PHP session for you) and use the access token on subsequent calls instead of trying to obtain a new access_token from the code
Is it possible to renew the long-term oauth token for facebook before it expires, and if so, how is that accomplished? So far it seems facebook will only give back the old token with the same expiration date.
Edit: using server-side authentication, and not finding in the docs specific info on how to request a new short lived token and exchange it for a long-term token using server-side workflow.
https://developers.facebook.com/docs/authentication/server-side/
how is that accomplished?
By getting a new short-lived user access token first, and then sending it to the endpoint for extension.
Facebook docs:
Facebook Platform supports two different OAuth 2.0 flows for user login: server-side (known as the authentication code flow in the specification) and client-side (known as the implicit flow). The server-side flow is used whenever you need to call the Graph API from your web server. The client-side flow is used when you need to make calls to the Graph API from a client, such as JavaScript running in a Web browser or from a native mobile or desktop app.
What is the difference between access tokens taken by these flows?
It seems like they length differ.
Can we use server-side flow token on a client? And otherwise, can we use client-side flow token on a server?
Currently, Facebook says this about access_tokens. On Server-side OAuth
if the access_token is generated from a server-side OAuth call, the
resulting access_token will have the longer expiration time by
default. If the call is made while there is still a valid long-lived
user access_token for that user, the returned user access_token from
this second call may be the same or may have changed, but in either
case the expiration time will be set to a long expiration time.
Where as client-side OAuth flow will give you a existing, non-expired, short-lived user access_token. To make this access_token long lived, facebook is providing a new endpoint that exchanges the short lived access_token with an access_token with longer life. The endpoint is
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
Also please note that
Currently the long-lived user access_token will be valid for 60 days
while the short-lived user access_tokens are currently valid from 1 to
2 hours.
Excerpt from https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
For those that like me are facing the same issue in 2014, Facebook improved the documentation on access tokens.
Tokens are Portable
One important aspect to understand about access token is that they are portable. Once you have an access token you can use it to make calls from a mobile client, a web browser, or from your server to Facebook's servers. If a token is obtained on a client, you can ship that token back to your server and use it in server-to-server calls. If a token is obtained via a server call, you can also ship that token down to a client and then make the calls from the client.
(from https://developers.facebook.com/docs/facebook-login/access-tokens/#portabletokens)
So yes, you can use access tokens from the client on the server and vice-versa; as already stated by naveen, the difference is that client-obtained tokes are short lived, whilst server ones are long lived. You can also convert a short-lived token to a long-lived token by following the directions here: https://developers.facebook.com/docs/facebook-login/access-tokens/#extending
Token can be used to make API calls since it represented that you are authenticated and authorized to do something.
Code can not be used directly to make any API call. It must be first redeemed with your app secret to get a token.
In other words, code is like an encrypted token that only parties with app secret can decrypt it.
BTW, your app secret should only appears in your server code, never in mobile or web client.
The video basically explains all this at around 13:00
https://developers.facebook.com/docs/facebook-login/security
A user access token (and page access token) will be the same in either server-side or client-side environment (other than maybe for the time stamp expiration).
An app access token will be exactly the same either server-side or client-side.
At this url, Facebook explains how to authenticate using Facebook Connect.
Basically, the steps are the following:
Redirect to facebook as the example. As a result I'll get an authorization code
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=email,read_stream
Do a HTTP post to the following address, asking for an access_token
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
Facebook will answer the last HTTP post with an access_token. Fine.
The access_token received above expires. The number of seconds it will still be valid is returned along with the access_token. Ok.
The problem is: What should I do after it expires?
From Facebook oficial website:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token
Wait! I can't re-run the steps above because in order to obtain a new authorization code I would have to redirect (step1). I don't want to redirect. I want to obtain a new authorization code through a web-service. The user already authorized my application and I won't have an oportunity again to redirect him or her.
What should I do?
PS: Thinking logically, I wouldn't need to gain a new authorization code after access_token expires. A new access_token would be enough. But, as I showed, facebook says authorization code also expires.
You would want to use the "offline_access" permission. This allows the token to be long-lived. See the permissions page: http://developers.facebook.com/docs/authentication/permissions/ .
Since they've removed offline_access, Facebook provided a way to extend the expiration of existing short-lived tokens.
Just make the following request:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
And, about the expiration of long-lived access tokens,
Currently the long-lived user access_token will be valid for 60 days while the
short-lived user access_tokens are currently valid from 1 to 2 hours.
For more information, please refer to https://developers.facebook.com/roadmap/offline-access-removal/