When a user authenticates through app A and app A receives a refresh token, will that refresh token be the same if the said user was to authenticate through app B?
Related
My application needs to log in to each user and generate the bearer token for each of them. By using the bearer token I can fetch the result using Twitter API v2. Anyone, please help me how can I do that.
The bearer token is specific to your application, NOT to the user. Bearer token / app only authentication is JUST for the app, not for the user. The first time you create the app on the Twitter developer portal, you get the bearer token which you should save in your password manager.
The account token - when a user is logged in to your app - is different. If you need this, you can also generate it on the developer portal FOR YOUR ACCOUNT ONLY, or you can make your app implement sign-in with Twitter via OAuth 1.0A. These tokens will enable your app to operate for a user and port new Tweets, like Tweets, create lists, etc.
I have an Blazor Server Side App with Azure AD B2C authentication using authorization code flow. On user login the app successfully retrieves an ID token, an access token and a refresh token for the user. All tokens are stored in the authorization cookie.
Currently the app validates the ID token periodically in ValidateAuthenticationStateAsync of a customized RevalidatingServerAuthenticationStateProvider. The provider gets the exp claim and validates whether the token has been expired or not. In case of expiration the provider simply returns Task.FromResult(false); which results in the user being logged out.
Instead of a user sign-off I would rather implement a silent renew / refresh of the ID token. I've tried existing solutions (hidden iframe with some HTTP requests) like oidc-client but here the first request to the /authorize endpoint uses prompt=none which is not supported by B2C (login page is always displayed in the hidden iframe).
How to do this without implementing everything from scratch? Is there an existing solution I can use?
When using Authorization Code flow with Azure AD B2C, the refresh token should be send to the /token endpoint (https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#endpoints). The library you are using should be doing it automatically or you have to do it using a call to /token endpoint like following:
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 offline_access&refresh_token=<<REFRESH-TOKEN>>
We have implemented the below process for revoking OAuth access tokens / refresh tokens to de-link an external app from our application.
On logout / user initiated de-linking action, we delete the access token and refresh token that was obtained from the initial authorization flow
User has to go through the authorization flow again once again to obtain the access token and refresh token
We are not calling any token revoke function / API call to the authorization server
My question is:
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
Are there any potential pitfalls to avoid in this approach?
The reason we took this approach is because most 3rd party apps do not offer revoke access related APIs and require the user to go to the 3rd party app to remove access / de-link the authorized apps.
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
No, most won't. Consider a scenario where a user is logged into your application from multiple devices. Each would get a valid access/refresh token.
So, you can't rely on this.
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The offline_access scope gives your app access to resources on behalf
of the user for an extended time. On the work account consent page,
this scope appears as the "Access your data anytime" permission. On
the personal Microsoft account consent page, it appears as the "Access
your info anytime" permission. When a user approves the offline_access
scope, your app can receive refresh tokens from the v2.0 token
endpoint. Refresh tokens are long-lived. Your app can get new access
tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
I'm having an iOS app where the user authenticates with Facebook on the device and also communicating with my server API.
Authentication
Today I'm sending the Facebook user access token (over SSL) and the server verifies the token with Facebook. Thats the authentication mechanism for the API.
Session token
Instead of using a generated token to user for all future API calls, I use the Facebook access token as the session token as well. This makes it a lot easier on the device as you don't have to care about first getting the token and then call the API. You just send the Facebook token in each call, easy.
Is this a good solution when authenticating with Facebook towards an API?