Let me explain the title :
I have a PHP API using OAuth2 authentication.
I have a NodeJS application,using this API via Password Grant. In session, the node stores access token and refresh token per user.
I have no trouble renewing the access_token with the refresh_token, when the user is requesting the node or via a front end demon, asking node to refresh regularly.
My question is :
I would like to keep my access_token short lived as I heard it was a further security (3600 sec or so), but I would like to allow the user to come back a few days later and still be authenticated, or at least avoiding asking him password login once more. Am I forced to make the access token lifetime longer ?
Does the Node Server need to refresh the user's token even if he's not requesting anything ?
Thank you in advance
In many common OAuth2 implementations refresh tokens are valid for a long time (much longer than the access token) or do not expire at all. You need to store this refresh token linked to your node session (For instance in DB). Then, when the user is coming back, just retrieve a new access token using the related refresh token.
According to http://blog.cloud-elements.com/oauth-2-0-access-refresh-token-guide:
Box
Access token: 1 hour
Refresh token: 60 days (resets 60 days when retrieving new access token)
Dropbox
Access token: Forever
Refresh token: N/A
Google DriveGoogle Drive OAuth
Access token: 1 hour, from my experience, but it seems this can vary depending on the Google API (expires_in field is returned in JSON)
Refresh token: Forever
OneDrive
Access token: 1 hour
Refresh token: 6 months (Get a new one every time you call refresh)
SharePoint
Access token: 1 hour
Refresh token: 6 months (Get a new one every time you call refresh)
A refresh token can not expire or can have a very long time expiration.
Related
I'm kinda confused using Google API
I've a FORM on my website for booking events on my public calendar. Whenever a user books an event, I make a call to get an Access Token (using Client ID & Secret and Refresh Token), but using the same Refresh Token that I generated initially. For every new Access Token, I'm using the same Refresh Token. It's all working fine. But I don't understand the flow.
Do I need to generate a new Refresh Token on every call? What are some limitations of not doing so? Can I keep on generating Access Token with the same Refresh Token indefinitely? Thanks!
Refresh tokens are long lived they can expire if the user who's account was used to create it removes access. If its not used in the last six months google will also expire the refresh token. Here is one that is a bit tricky if you use the client id to request access of the user you get a refresh token if you do it again you get another refresh toke technically both refresh tokens work you can do this up to 50 times on the 51's time the first one will be expired. You can use a refresh token as many times as you want to get a new access token.
My question for you is who's google calendar are you writing to the users or some default one on your website? If this is a central Google calendar that you are writhing to then you should consider using a service account rather than Oauth2. I have an article on how service accounts are used if you are interested. Google Developer service accounts
I have a PHP application usign LinkedIn API to show my company updates.
I know that the Access token has a duration of 60 days. And to refresh it I need to are connected to linkeIn and have a current Access token with less than 60 days old.
But my question is, in my application, users don't log in it, I use my own account to get the first access token and call API method with my Access Token.
How can I refresh my own access token to my web application works more than 60 days without get a new token manually? If I don't do anything but my app is still calling the API, the access token will be refreshed automatically?
Thanks a lot!
I am not sure but I think you have to manually login and update the 60 days token.
I have build a similar c#.net app where I save the token and exp.date in a file. I then cache the file for ever.
I cache the result from API for 5min. When cache expires and I make a new request to the API I also check the exp. date of the token.
When it is less then 3 days I send an email to admin to update the token by login in through my special login window where I save the 60 days access token.
LinkedIn's OAuth 2.0 documentation covers how to refresh your access tokens: https://developer.linkedin.com/docs/oauth2#refresh
Note that there is a requirement that the user is logged into linkedin.com in order to refresh their token - so if your app has no user interaction when you attempt to do the refresh, it won't work and the tokens will be expired by LinkedIn.
I am using InfusionSoft's API to save the contents of a form that is filled out on a website. The API uses OAuth, and from what I can tell there isn't a way to have a life-long session.
The way the OAuth appears to work is that it is designed for a user to login if their session has expired, just like logging into a website. This obviously isn't suitable for an API, but I'm sure this isn't an unusual requirement.
I have an initial token, but after that expires, what then? The only thing I can think of is to have a cron job that runs hourly to refresh the access token (there is a 'refreshAccessToken' method).
You need to store both the Access Token (short term - it is live for 24 hours) and the Refresh Token (long term).
You will only need to call the refreshAccessToken method at the start of each session. That method will return both a new Access Token and a new Refresh Token.
Use the new Access Token for the current "session" when making API requests. The Access Token will be valid for 24 hours (this changes from time to time).
Store the new Refresh Token and use it again for your next session.
I am making an OAuth 2.0 request and it is returning me JSON with refresh_token and access_token, why are there are 2 in OAuth2.0?
Which one is short lived?
What is the purpose of both?
I read this question on SO but that didn'e helped me much, Any help in this regard will be appreciated
Thanks
The access token is what you will use to authenticate your service requests. It generally contains details about the user or is directly mapped to the permissions about the user and the permissions that he has granted.
These tokens are short lived - something like one hour, the actual duration differs per provider.
The refresh tokens on the other hand are used to get a new access token when the one that you have expires. They have a much longer (sometime infinite, until explicitly revoked) lifetime.
Now, let's consider an end to end scenario. Let's say you create an app that does Facebook actions on a user's behalf - post on their timeline etc.
Your app redirects the user to log in to Facebook - you use Facebook SDK for this.
When the user successfully logs in and gives you the required permissions (post on timeline) you get an access token and a refresh token.
Your app can now hit the Facebook API to post on the user's timeline on his behalf with the access token. This token can be used for one hour (or whatever time the access token is valid)
Once the token is about to expire, you can hit a Facebook API to refresh the access token, as this one is about to expire. So, you call into the API with refresh + access tokens.
The API returns a new access token to you - you can use this now till it expires.
PS - This is not how it happens for Facebook actually. This was just a random example to explain how refresh and access tokens differ.
If this makes sense, go back to the question that you have linked. It has some really good answers. :)
I'm trying to make aplication which get the posts of facebook page. I did everything and it is working fine but I have problem wih access token. I've tried some SO answers about making FB APP but it didn't worked for me. I got to point when my token expired then refreshed page but the page asked me to verify access. But I cannot have it like this, because it doesnt serve the purposse.
Now I'm taking the content from this url with file_get_contents("https://graph.facebook.com/soecz/posts?access_token=CAACEdEose0cBAJrnTKwdTdaloBgShsNSIkJjspgQocumZB4CV4mZACpAo3xj57gYcVYYYeHDBxi2ltNCT7SZB0Yl51PBQCrInIKstadeRR5OidYG8pibAAUHIiC51QUxgfTgFMY4DLUlglda7YiaP5yQiYbRftxwipRK5MZBVyzags0eReHx");
But after 2 hrs the token expires and I got oath error. Do you ahve any solutions ? I will sue it to get the posts from page. I do not want to edit / post anything with this. Just get the posts and write them. Also I do not want to rediret users when the token expires. Thanks for solutions
See scenario 5 of https://developers.facebook.com/roadmap/offline-access-removal/. By extending the 2 hour (short lived) token for a 2 month (long lived) token you can query for the page token after which will not expire.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
So you will only need to "verify" once as a user then you can save the page access token after that.