I am using JWT for the first time, I am finding a hard time to understand the way it works fully, every time I find a solution to simethong, an other thing pops out.
I was trying to authenticate before and when I send the correct username and password I get a token when using Postman.
I left the project few hours and came back and now when I try to authenticate I get this error :
{
"code": 401,
"message": "Expired JWT Token"
}
I don't know how to solve it, because I did not knwo I may face such problem.
Any help would be much appreciated.
It goes like this:
You make first api request, pass your credentials, get token and store it somewhere.
After that you should pass that token (trough "Bearer" header field) with every other request so server could identify you.
But that token won't be valid forever. After some time (TTL) it will expire and you'll get message like that. Then you have to repeat authentication to get new token.
So just repeat request you made at start, pass again credentials, collect and store again new token and keep using it as before.
If you're using LexikJWTAuthenticationBundle, you can set the TimeToLive for JWT in lexik_jwt_authentication.yaml in config/packages.
The token_ttl: attribute is for setting up the TimeToLive of a token in seconds (e.g., 604800 is equal to 7 days).
Related
I'm starting to learn the Laravel passport API. I tried to use my tokens and it works fine.When I revoke the specific token it works fine too, it shows the proper output that says
{
"message": "Unauthenticated"
}
But when tried to use the token that is expired 1 day ago. It still authenticated which means doesn't do the same message when I put revoke on it.
I'm having the same problem in this thread:
https://laracasts.com/discuss/channels/laravel/passport-not-erroring-on-expired-token?page=1
I'm thinking if there's another or tricky way how to check the expiration date of the specific token in the backend part. Recently I found an alternative way to validate the expired tokens. Which is the task scheduling of laravel. Where every minute the system will check if there's a token expired so that it will automatically update its revoke field as true. But I doubt this solution so that I'm still trying to find some other options.
I think I found the problem probably.
You must set the expiration time in AuthServiceProvider by adding Passport::tokensExpireIn(); to boot section and token won't be validated after this time but the problem is the token won't be revoked automatically and i don't get it why.
Maybe revoke is not for being set by passport and its only for us
I'm using OAuth2. Since it's a two step verification, shouldn't it give me an error when I try to make the following request? I haven't specified the client secret, but it still is sending back an access token that works to use.
http://localhost/oauth/authorize/?response_type=token&client_id=myclientid&redirect_uri=http%3A%2F%2Flocalhost%2Fmyredirecturi.php
I understand that I first need to ask for a request token, and then trade that in for an access token, but every time I make this request I get back an access token that works..? Although, I get an error message if I specify the wrong client id.
Looks like I forgot to disable the allowed implicit grant type. :) Works now.
I have a client application that use the oauth2 with authorization grant type resource owner password credential. I write a curl http request to obtain the access token when user provide her credential, but how to request another access token when the first one expired. I read that it's good to estimate the validity of the access token. I found this client library but I don't think it will solve my problem related to requesting a new access token once it expire or even when the refresh token expired too.
Can anyone point me to the right direction how to implement this or use a library for that purpose please?
Instead of checking token expiration for every resource request, you can handle token expiration error and perform a Refresh Token request to get a new access token.
oAuth server should normally mention invalid_grant in its response when access token is invalid, expired, or revoked. Refer here. You should check with your oAuth server what response it provides exactly when a token is expired.
Some libraries does include this feature but I do not find for the library you mentioned. I used Retrofit as java client and it has this. You might want to request this feature for the library you mentioned.
If a refresh token is expired, the oAuth authorization flow should start over again.
the OAuth2 token you receive will have the duration in it. Each token expires after a set amount of time and that information is sent back as part of the object you receive. So you can store it locally and reuse it until the expiration time passes.
Once it does expire you have two options :
Request another token
Refresh the existing token. A lot of the OAuth2 providers offer this functionality.
The only question is if the library you are using has that built in. If not maybe you can add it yourself.
Edit
if you want to store the token somewhere then Session will work. The Session does not expire when the user closes their browser bit when it hits the timeout expiration set on the host itself. To be fair if they reopen the app later, they will have to login again at which point you can request another token. If you decide to use the Refresh Token functionality then it makes sense to store that in the database itself and use it from there as this is a long term thing not something that is session based.
My app is simple, it connects to the Google+ API to authenticate the user, and if successful, it retrieves the user's email and then performs a series of operations on a given database based on the email retrieved.
My main issue is that every hour, my access token expires, and I seem not to know how to "refresh" it. I get the following error, which I imagine is expected:
The OAuth 2.0 access token has expired, and a refresh token is not available.
I am currently storing the access token on a database, and I can therefore retrieve if needed. My only question is how do I use that token to gain a new one?
Whoa, it took me significantly longer to figure this out, and the answers out there seemed quite incomplete to me.
Before we start please keep in mind that this answer assumes you are using the latest Google API PHP Library, as of May 26th of 2014.
1 - Make sure the access type your app requests is offline. A refresh_token is not provided otherwise. From Google: This field is only present if access_type=offline is included in the authorization code request.
$gClient->setAccessType('offline');
2 - Upon the first authorization, persist the provided refresh_token for further access. This can be done via cookies, database, etc. I chose to store in on a database:
$tokens = json_decode($gClient->getAccessToken()); /* Get a JSON object */
setRefreshToken($con, $tokens->refresh_token /* Retrieve form JSON object */);
3 - Check if the AccessToken has expired, and request a refreshed token from Google if such is the case.
if ($gClient->isAccessTokenExpired()) {
$refreshToken = getRefreshToken($con, $email);
$gClient->refreshToken($refreshToken);
}
Where getRefreshToken is retrieving the previously stored refresh_token from our database, and then we pass that value to the Client's refreshToken method.
Quick Note: It's key to remember that if you had previously authorized your app, you probably won't see a refresh_token on the response, since it is only provided the first time we call authenticate. Therefore, you can either go to https://www.google.com/settings/security and Revoke Access to your app or you can add the following line when creating the Client object:
$gClient->setApprovalPrompt('force');
From Google: If the value is force, then the user sees a consent page even if they previously gave consent to your application for a given set of scopes. Which in turn ensures that a refresh_token is provided on each authorization.
Full Sample Here: http://pastebin.com/jA9sBNTk
I am facing problems renewing the facebook extended token which is valid for 60 days, before it expires.
I am following the steps mentioned on this page
https://developers.facebook.com/docs/facebook-login/access-tokens/#extending
I called the endpoint https://graph.facebook.com/oauth/client_code?access_token=...&client_secret=...&redirect_uri= ... with curl_get_file_contents
and i got the "code"
Then as the next step i call the endpoint oauth/authorize?code=...&client_id=...&redirect_uri=... using curl_get_file_contents with the code i recieved in the previous step but dont get anything in return. What am i missing?
Facebook docs say "Once you've retrieved the code from Facebook's server you then need to ship it to the client via a secure channel. Once that's done, you need to make a request from the client to this endpoint:"
what do they mean by ship it to the client via a secure channel? And what do they mean by make a request from the client to this endpoint? any examples you can give me on how to call these urls using the php sdk.
The token will automaticaly refresh his expire timestamp after an interaction between the user and your application.