I've got my Javascript client app working well, but the streaming access token expires after 1 hour. I'm trying to make it play a playlist all the way through, which is often longer than 1 hour. Is there a way to renew the token without requiring the user to log in again?
Client-side applications cannot renew their token as they are not supplied with a refresh token. If you want to renew the token, you need to do a webservice application which can store a secret and use this to renew the access_token.
Related
I am building an application that does not have a client interface.
At the setup step: The user logs into the server throught a browser once using oauth, and the server makes sure that the client is identified.
From this point on, no browsers are invlovled. It all happens in the background.
It then keeps acting on behalf of the user for as long as the user can be validated.
That means that once in a while, my server needs to call the oauth provider to validate the user still exists.
Until now, I have only used google oauth: Once in a while, I would call the refreshtoken api, and get a new token indefinitely from the server side. (you need to ask for "offline access" when you get the user token).
Now I would like to use facebook as well, but reading their APIs, I see no mention of a possibility for a server to refresh it's tokens:
https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing/
It looks like it all has to be done from the client device.
As I have no client device, does this mean that I cannot write this sort of app with facebook?
I think your scenario can be covered through Facebook's mechanism. But you need to support a re-login if some error occur while using long lived access token. This can happen due to security measure taken by Facebook (ex:- data breach, cryptographic breach) or when user revoke tokens or change password or when tokens are not used for a longer time.
Steps to follow (According to their docs),
Obtain a User access token
These are short lived
Short-lived tokens usually have a lifetime of about an hour or two
Exchanging Short-Lived Tokens for Long-Lived Tokens
These have life span of around 60 days, even when they are not used.
long-lived token generally lasts about 60 days.
Basically, once you obtain a long lived token, you can use it from the server application. During this process, you required a client which used browser only to obtain short lived access token.
But as previously mentioned, these tokens can expire,
These tokens are refreshed once per day, when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
So you will require to obtain new ones by going through above two steps.
Here is the scenario:
Web App (webapp) authentication uses OAuth Authorization Server SSO
by setting spring.oauth2.sso.* properties.
User authenticates and webapp now have user credentials and access_token. Application then uses this token to call certain microservices on the backend.
When token expires it will eventually get 403 Unathorized.
Since we dont have refresh token should we just force user to login again?
What if we want user to stay logged in longer then token's TTL?
Any thoughts?
If I understand your question correctly, absent having a refresh token, the user will need to login again as this is the only way to get a new access token without it.
I am working on collaborative web platform by ruby on rails and it's connected with facebook app (v2) by Koala gem..
When a user register by facebook account, there is facebook token (expire after 60 days)
The questions:
1- when and how renew the token in normal cases?
2- Can I renew token for 60 days again before end validity of the token?
3- Can I renew token automatically when user used his account in app with old session (without new sign in), or the user must sign out and sign in again to renew token?
I show this answer, but the tokens of users doesn't renew automatically when users visit to site with old sessions (without signin), do I have to finish their sessions automatically to force them to sign in again?
1 - When the user visits your App again
2 - Afaik you can only refresh them after the old one is not valid anymore. Not entirely sure about that though, as i have never tried.
3 - You can only renew the token with user interaction. if it would be possible to auto-renew, there would be no need for short- and long-living tokens at all.
Btw, renewal is very easy with the JavaScript SDK, by just calling FB.getLoginStatus on page load. In general, try to avoid using Tokens while the user is offline.
I created facebook app, now access token is for 60 days but i want to extend never expires access token .if you have any information please let me know.
There is no such thing as an access token that 'never expires'. Please read the Access Token Documentation. The best you can do is to get a token which is valid for 60 days and extend it after it has expired.
Native mobile applications using Facebook's SDKs will get long-lived
access tokens, good for about 60 days. These tokens will be refreshed
once per day when the person using your app makes a request to
Facebook's servers. If no requests are made, the token will expire
after about 60 days and the person will have to go through the login
flow again to get a new token.
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.
Is it possible to renew the long-term oauth token for facebook before it expires, and if so, how is that accomplished? So far it seems facebook will only give back the old token with the same expiration date.
Edit: using server-side authentication, and not finding in the docs specific info on how to request a new short lived token and exchange it for a long-term token using server-side workflow.
https://developers.facebook.com/docs/authentication/server-side/
how is that accomplished?
By getting a new short-lived user access token first, and then sending it to the endpoint for extension.