After the last changes at Quickbooks site, I can't find a place where I can get OAuth tokens and set their expiration time. I need to automate the reconnect process but just read about tokens expiration in 180 days. I would need to get a set of token that expire quite earlier so that I can test my code without waiting so may days for it to be executed. Is that possible?
Regards
Yes, you can use the playground to test with - https://appcenter.intuit.com/Playground/OAuth/IA/?ck=consumer_key&cs=consumer_secret
Related
I am using a JWT token implementation of this https://jwt-auth.readthedocs.io/en/develop/quick-start/
I need to update the secret key and is there a way to update it without logging out every user? I presume it's not possible to reuse the old token once my secret key is changed. So all my users will be logged off and need to log in again. Is there any way to go around this?
If not, if for security reason, I need to update the secret monthly, that will be pretty troublesome to ask my user to re-login monthly.
Thanks!
If you change your keys it's correct to invalidate all the tokens signed with the old ones as they are to be considered expired.
It's a good practice to let the token expire as well after a certain amount of time. Usually you implement a mechanism based on two tokens, access_token with an expiration of 1h (usually) and a refresh_token with a longer expiration (usually 24h). The second one is used to renew the first one. When the second one expires, the user has to be considered logged out.
What you need is to implement a refresh token mechanism. You can implement it from scratch, for learning purposes, or you could just implement OAuth 2.0 protocol, since it's a flow that it already supports. There are lots of libraries both for server side and client side implementations
https://oauth.net/
I'm working on a digital board for meeting rooms. Every board, set outside the door of the meeting room, displays if it's occupied or not and the following meetings, according to it's calendar.
I followed this tutorial to create a JavaScript single-page app.
The problem is that after a while (less than 1 hour) I have to do the log-in again. I'm really struggling to find a solution to avoid it at all or reduce this frequency as much as possible.
Looking around it seems that working on the life of the Token is the answer. Refresh it or, even better, set it that never expires (until-revoked).
I've tried with PowerShell, following this guide but it doesn't work for the v2.0.
Azure AD does not support infinite lifetime Access Tokens. The hard limit for an Access Token lifetime is 1 hour.
However, Azure AD do support infinite chaining of the refresh token for new access tokens. When you modify the configurable token lifetime property and set it to until-revoked you are really doing this for the refresh token.
You must make sure you have proper logic in your code that tracks the expiration time of the access token, and requests for a new access token using the refresh token when the old token expires.
If I've authenticated a REST client and generated a token for them with an expiration date of 2 hours, is it bad practice to keep updating the expiration date every time the make a call (e.g. if they make a call in 1 hour, then the expiration date would move to be 1 hour later than when it was created)?
Or is it best practice to keep the expiration date and just force a re-authentication and then generate a totall new token?
In my experience, the easiest way to implement this is letting the server to auto-refresh the token. You can use an internal policy to check the number of seconds/minutes/hours/days that have occurred from the expiration date to now. If the token's expiration date is less or equal than a number of seconds/minutes/hours/days defined, then the server will generate a new token (and will return it to the client). This is transparent to the client and avoid to re-authenticate and ask for the user's credentials again. However, if the expiration date is greater than the number of seconds/minutes/hours/days defined, then you force the re-authentication.
Other workarounds may work as well but this implementation works for me. Hope this helps you!
I ask for a Facebook access token with deprecate_offline_access turned on, and I get following response:
access_token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&expires=5183977
Does anybody know, what "expires" parameter means? It's value is not timestamp...
I would like to know when the token expires, how could I do this?
Thank you.
The "expires" parameter is just the time remaining from the time of request until the expiration time. It should be read as "expires in 5183977 seconds from time of request".
5183977 seconds = 59.9997337962963 Days.
and answer to your last question 'what will I get if token is expired? will I get exception or just expired=0?'
you will get notification before token expire. If it is already expired (for mainly different reasons explained in facebook developer documentation) you have to re0auth the app and have to get new access token which will be again valid for next 60 days.
I am working with Oauth2.0. In that i could able get the access_token and instance_url. Is there any expiry time for these two.
Can I store them and use it for all my REST calls without getting the new access_token and the instance_url. Is it possible for me to use it for long hours or even days.
The access token is only valid for the length of a session (as defined in the Salesforce Org's settings — I believe the longest this can be is 8 hours without activity), as it's actually a session ID, that said, you should also be given a refresh token. The refresh token has a much longer lifetime and can be used to authenticate the user once the session has expired, without them having to enter any credentials — this allows you to do it in the background without them even having to concern themselves with the login process.
model metrics do a good job of explaining the token flow here.