whats the lifetime of Github OAuth API access token - github

what is the expiry time of github oauth access token. And also how do I renew it. I don't see any refresh token in their documentation. Please guide me. Thanks in advance.

2014: As commented in this "GitHub OAuth Busy Developer's Guide"
Tokens don't have to expire.
They only send back the access token and an expiration (field "expires_in", seen as far back as 2013) if the offline_access scope is not requested (as it is the case for a refresh token).
Right now, GitHub just assumes all apps want offline access.
You can check an OAuth application authorization, delete it or revoke it.
But the token itself doesn't seem to be bound to an expiry date unless they are not use for one year.
badsyntax adds in the comments:
I also found this useful:
"An OAuth token does not expire until the person who authorized the OAuth App revokes the token."
From "Migrating OAuth Apps to GitHub Apps".
Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response:
expires_in
RECOMMENDED.
The lifetime in seconds of the access token.
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

Generally, the access_token of GitHub has no expiry until you revoke the OAuth token.
You can consider to opt in to GitHub App expiration token beta feature. This would make your app use expiring user tokens valid for 8hrs, and refresh tokens valid for 6 months
Here's an official step by step guide

GitHub will automatically revoke an OAuth token or personal access token when the token hasn't been used in one year.
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#token-expired-due-to-lack-of-use
Interestingly, some other OAuth providers issue short-lived access tokens and long-lived refresh tokens, as suggested discretionally in the OAuth spec. For example, GitLab OAuth "access tokens expire in two hours" and each refresh token may only be used once. This mitigates the damage that stolen access tokens can do.

Related

Cannot use refresh token to generate access token in Github after access token expires

While using Github apps authorization to generate user-to-server tokens, both access_token and refresh_token are generated. Access tokens have a life of 8 hours and refresh token have 6 months before they expire.
I am able to generate new access tokens using the refresh token till the point old access tokens are valid and alive. But once the access tokens expire, I am not able to use the refresh token to generate new access token. Why is this happening?
Also, when I looked into my Github settings > Applications > Authorized Github Apps, the previously authorized app which was listed up until that point is automatically revoked.
First I doubted that I might have manually revoked the authorization on Github settings. I reauthorized the app again which listed my app on the github settings and everything was working fine (this I did yesterday). But today the app is again revoked.
What is causing my app to be auto-revoked from the github settings? Why can't I retain the validity of the refresh_token after 8 hours?

Increase access token validity

Is it possible to generate an access token to read the feed of a facebook account, where the access token never expires.
From what I understand 60 days is the maximum if the initial login access token is exchanged.
Is it possible to go longer than 60 days?
Now that offline_access is no longer provided, the answer is NO.
There used be a permission called offline_access that let access token works longer for period of time, but it is removed now. Short-term access token and long-term access token are introduced, instead.
When you redirect your potential user to Login Dialog and the user complete his login and app authorization process, user is redirected back to your web page. That's where you get code parameter and you will exchange it for short-term access token, which stays valid for about 2 hours. That should be enough for login purpose.
If you wish to store the token for later use you should acquire long-term access token. I believe this is the one you mentioned. This token lives up to about 60 days as you already figured out and it is the longest.

renewing facebook oauth token BEFORE expiration

Is it possible to renew the long-term oauth token for facebook before it expires, and if so, how is that accomplished? So far it seems facebook will only give back the old token with the same expiration date.
Edit: using server-side authentication, and not finding in the docs specific info on how to request a new short lived token and exchange it for a long-term token using server-side workflow.
https://developers.facebook.com/docs/authentication/server-side/
how is that accomplished?
By getting a new short-lived user access token first, and then sending it to the endpoint for extension.

How long do 'offline_access' OAuth tokens last for?

If a user gives my app the offline_access permission, approximately how long will the OAuth token last for? The documentation simply says:
"By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived."
How long specifically would this token last for? Would it be active 24 hours later?
If I recall correctly, the access token returned when requesting the offline_access permission will remain valid until the user revokes the offline_access extended permission from the application, or the user specifically removes the application. Effectively making it a permanent token.
However, this should always be taken with a grain of salt. Facebook allows themselves the freedom to be able to change their policies at anytime and the 'long-lived' wording of the description allows them to invalidate the token at any time. It is recommended that your application handles the scenario of the token becoming invalid as it will cover the user removing application access and the token being invalided for some other reason.
Some helpful information from Facebook here on handling expired access tokens:
https://developers.facebook.com/blog/post/500/
Note that an access token can also expire if the user changes their password or deletes their Facebook account.
Your client (web, iOS, etc) should make a habit of checking for a valid access token & reprompting the user to authorize if the token has expired.

Do Facebook Oauth 2.0 Access Tokens Expire?

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?
After digging around a bit, i found this. It seems to be the answer:
Updated (11/April/2018)
The token will expire after about 60 days.
The token will be refreshed once per day, for up to 90 days, when the person using your app makes a request to Facebook's servers.
All access tokens need to be renewed every 90 days with the consent of the person using your app.
Facebook change announce (10/04/2018)
Facebook updated token expiration page (10/04/2018)
offline_access:
Enables your application to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
Its a permission value requested.
http://developers.facebook.com/docs/authentication/permissions
UPDATE
offline_access permission has been removed a while ago.
https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal/
Try this may be it will help full for you
https://graph.facebook.com/oauth/authorize?
client_id=127605460617602&
scope=offline_access,read_stream,user_photos,user_videos,publish_stream&
redirect_uri=http://www.example.com/
To get lifetime Access Token you have to use scope=offline_access
Meaning of scope=offline_access is that :-
Enables your application to perform authorized requests on behalf of
the user at any time. By default, most access tokens expire after a
short time period to ensure applications only make requests on behalf
of the user when the are actively using the application. This
permission makes the access token returned by our OAuth endpoint
long-lived.
But according to facebook future upgradation the offline_acees functionality will be deprecated for forever from the 3rd October, 2012.
and the user will be given 60 days long-lived access token and before expiration of the access token Facebook will notify or you can get your custom notification functionality fetching the expiration value from the Facebook Api..
Note that Facebook is now deprecating the offline_access permission in favor of tokens for which you can request an "upgrade" to the expiry. I'm just now dealing with this, myself, so I don't have much more to say, but this doc may help:
https://developers.facebook.com/docs/offline-access-deprecation/
I came here with the same question as the OP, but the answers suggesting the use of offline_access are raising red flags for me.
Security-wise, getting offline access to a user's Facebook account is qualitatively different and far more powerful than just using Facebook for single sign on, and should not be used lightly (unless you really need it). When a user grants this permission, "the application" can examine the user's account from anywhere at any time. I put "the application" in quotes because it's actually any tool that has the credentials -- you could script up a whole suite of tools that have nothing to do with the web server that can access whatever info the user has agreed to share to those credentials.
I would not use this feature to work around a short token lifetime; that's not its intended purpose. Indeed, token lifetime itself is a security feature. I'm still looking for details about the proper usage of these tokens (Can I persist them? How do/should I secure them? Does Facebook embed the OAuth 2.0 "refresh token" inside the main one? If not, where is it and/or how do I refresh?), but I'm pretty sure offline_access isn't the right way.
Yes, they do expire. There is an 'expires' value that is passed along with the 'access_token', and from what I can tell it's about 2 hours. I've been searching, but I don't see a way to request a longer expiration time.
since i had the same problem - see the excellent post on this topic from ben biddington, who clarified all this issues with the wrong token and the right type to send for the requests.
http://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/
You can always refresh the user's access token every time the user logs into your site through facebook.
The offline access can't guarantee you get a life-long time access token, the access token changes whenever the user revoke you application access or the user changes his/her password.
Quoted from facebook http://developers.facebook.com/docs/authentication/
Note: If the application has not requested offline_access permission, the access token is time-bounded. Time-bounded access token also get invalidated when the user logs out of Facebook. If the application has obtained offline_access permission from the user, the access token does not have an expiry. However it gets invalidated whenever the user changes his/her password.
Assume you store the user's facebook uid and access token in a users table in your database,every time the user clicks on the "Login with facebook" button, you check the login statususing facebook Javascript API, and then examine the connection status from the response,if the user has connected to your site, you can then update the access token in the table.
Hit this to exchange a short living access token for a long living/non expiring(pages) one:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
log into facebook account and edit your application settings(account -> application setting ->additional permission of the application which use your account). uncheck the permission (Access my data when I'm not using the application(offline_access)). Then face will book issue a new token when you log in to the application.
Basic the facebook token expires about in a hour. But you can using 'exchange' token to get a long-lived token
https://developers.facebook.com/docs/facebook-login/access-tokens
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
This is a fair few years later, but the Facebook Graph API Explorer now has a little info symbol next to the access token that allows you to access the access token tool app, and extend the API token for a couple of months. Might be helpful during development.
check the following things when you interact with facebook graph api.
1) Application connect URL should be the base of your "redirect_uri"
connect URL:- www.x-minds.org/fb/connect/
redirect_uri - www.x-minds.org/fb/connect/redirect
2) Your "redirect_uri" should be same in the both case (when you request for a verification code and request for an access_token)
redirect_uri - www.x-minds.org/fb/connect/redirect
3) you should encode the the argument when you request for an access_token
4) shouldn't pass the argument (type=client_cred) when you request for an access_token. the authorization server will issue a token without session part. we can't use this token with "me" alias in graph api. This token will have length of (40) but a token with session part will have a length of(81).
An access token without session part will work with some cases
eg: -https://graph.facebook.com/?access_token=116122545078207|EyWJJYqrdgQgV1bfueck320z7MM.
But Graph API with "me" alias will work with only token with session part.
I don't know when exactly the tokens expire, but they do, otherwise there wouldn't be an option to give offline permissions.
Anyway, sometimes requiring the user to give offline permissions is an overkill. Depending on your needs, maybe it's enough that the token remains valid as long as the website is opened in the user's browser. For this there may be a simpler solution - relogging the user in periodically using an iframe: facebook auto re-login from cookie php
Worked for me...