I have implemented the device code flow using OpenIddict and have no problems getting an access key. But I can't get a refresh key like I can with the normal authorization code flow.
When sending a request to the Device endpoint with scope set to offline_access, then I can see in the database table OpenIddictAuthorizations that the scope is picked up and stored. I also see in the database table OpenIddictTokens that only access_token, device_code and user_code are created. No refresh_token is created in that table, and only the access token is returned when calling the /token endpoint.
Do I do something wrong or is getting a refresh key simply not supported in device code flow?
Related
I m using a client credential flow to access the API. I am getting the access token each time client make a call to Web API which seem to me may not be good but not sure why. I looked through web I am getting mix answer, some say Client Credential flow doesn't return refresh token some say possible but it is not clear how. I looked at the project where it seem to store the token in the cache but doesn't show how it can be use when needing to get the access token.
Even if Client Credential flow doesn't support or send refresh token. I am searching for a way to store the access token and use it until is is not expired and get a new one when it is expire. This is where I am looking for support.
Beside that I do have relevant question.
Should I just get the access token each time? what is the downfall of it?
Should I include a Test method is Web Api to validate if the token is expired and return "Unauthorize" response based on that response I get the new token? With this approach, I will calling the API each time I need to access the API for actual purpose. So wouldn't I just get the access token from the Authorization server (Microsoft Identity platform).
Have a look at these resources:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-credential-flows
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet
One possible solution is to implement internally your own solution:
Get the Token.
A Dictionary is going to hold the (API type) as a key and the corresponding token as its value.
Next call check if the token exists in your Dic(TryGetValu(ket, out param)).
Check "ExpiresOn" on the AuthenticationResult (the Token) and compare its time for validation.
Remember to maintain your Dic by Updating or adding new tokens.
I would like to use the oauth2 token permanently in my website.
Using google API, when the user giving permission to manage their google calendar, I am getting the access token from google API. I want to save it in database and use it for the last long.
But it is getting invalid. I tried to refresh the token using the oauth2 refresh token API. But getting the error as follows.
Array ( [error] => invalid_grant [error_description] => Token has been expired or revoked. )
I don't want the user to give the permission each time when he enters the website.
I would also like the admin need to access the user's calendar using this token or any other way if it is.
How can I achieve this?
Instead trying to get the permanent token, I am using the refresh token option.
When I call the google calendar using tag, I have added the parameter like "access_type=offline" as follows
$login_url = 'https://accounts.google.com/o/oauth2/auth?scope=' . urlencode('https://www.googleapis.com/auth/calendar') . '&redirect_uri=' . CLIENT_REDIRECT_URL . '&response_type=code&client_id=' . CLIENT_ID . '&access_type=offline';
After the user allows, I'll get access_token with refresh_token as response. I am saving those in database. Then everytime, when the user's calendar access by the admin, will get the new access_token using the refresh_token that is stored in the database through the refresh_token api call until the user use the unsynchronize option in my site.
Once the user unsynchronized the calendar, I'll update the database.
Problem is resolved.
Bottom line is you can't get a permanent token - but you can mitigate the need for your user to re-supply credentials.
The solution depends what grant type you are using (which depends largely on whether your application runs on a server or or a end-user's machine). You mention a website so hopefully you use a grant type which returns a refresh code too.
If your app runs on a server and you get a token via the authorisation code grant then you should be able to also get a refresh token when you get an access token. You can use that refresh token to request new refresh/access tokens on a back-channel, without need of your user, or their credentials.
Effectively you should then have long-lived access to your user's google resources providing the user doesn't revoke access.
If you use other grant types, like implicit grant, then you can't get a refresh token. You will need to regularly obtain a new access token. If your user remains logged-in to google on the device your app is running on then they should not be required to supply their google credentials when you request a new access token, so you won't be constantly pestering them for credentials.
I have created OAuth 2.0 Playground access tokens using the following info:
Select & Authorize APIs: https://www.googleapis.com/auth/consumersurveys https://www.googleapis.com/auth/userinfo.email
GET https://www.googleapis.com/consumersurveys/v2/surveys
This works (for me it returns a list of surveys I had created previously).
However, when I create access tokens using Postman OR retrieve them from AspNetUserClaims table those access tokens don't work.
Example #1: I get an access token in Postman for Google and add it to the Header (a checkmark appears for Bearer and token). I press Send in Postman and it returns "Invalid_Credentials". In case the token is expired or invalid, I delete it and create a new one to use in the header. Still fails.
POSTMAN info:
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
Client ID: hidden
Client Secret: hidden
Scope: https://www.googleapis.com/auth/userinfo.email
Grant Type: Authorization Code
Request access token locally is checked.
Example #2: I use the Google Sign-On button on my dev site which generates an access token that is then stored in the AspNetuserClaims table. I copy that access token into Postman (a checkmark appears also) and press Send and it also returns "Invalid_Credentials". In case the token is expired, I delete the newly created account and access token from all the AspNet user tables and try it again. Still fails.
Why is this only working with OAuth 2.0 Playground tokens in Postman? They are all newly generated tokens through the Postman token wizard or newly registered user accounts or the OAuth2.0 Playground wizard, but only the OAuth2.0 Playground tokens actually work...
Figured this out.
I believe the issue was that the access token in Postman required more scopes to authenticate me fully, which makes sense since this API contains surveys that I am trying to access, which are also linked to a Google account. This started working only after I added the consumersurveys.readonly scope (using A SPACE) along with the userinfo.email scope, as outlined below.
This SCOPE SETTING alone didn't work:
https://www.googleapis.com/auth/userinfo.email
This SCOPE SETTING with more permission to this API DID work!
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/consumersurveys.readonly
More info on adding scopes to C# code can be found here: http://www.oauthforaspnet.com/providers/google/
Hope this helps anyone else out there who runs into a similar issue.
I am using Google Drive API(C#) with service account as mentioned in
https://developers.google.com/drive/delegation
I am able to work with DriveService object, but after 1 hr, it errors out with exception: "The remote server returned an error: (401) Unauthorized."
I know, by setting "access_type" to "offline" we could solve this problem, but I am not able to set this property for DriveService object.
Does anyone know how to refresh this Google Drive Service object?
Thanks in advance
Service accounts come with a private key - and that's their moral equivalent/superset of the refresh token that is returned as a result of a user-driven consent flow.
When a user consents to offline access (via a web server or similar OAuth flow) a refresh token is returned that can be swapped (along with the client secret) at any time for an access token.
In the same manner a service account private key can be used to sign an assertion that can also be swapped for an access token - that's useful for cases where no user is present to accept a consent screen, or where you are performing work on behalf of other users in your organization.
Once you get an access token it is treated in the same way - and is expected to expire after 1 hour, at which time a new access token will need to be requested, which for a service account means creating and signing a new assertion.
Generally noticing that the access token is expired and requesting a new one is taken care of for you by the Google client libraries - although I'm not familiar with the C# version. If you could share your code that creates the DriveService object that would be helpful.
When you set offline access mode, your app gets a refresh token when the user logs in for the first time.
access_type ::
Indicates if your application needs to access a Google API when the
user is not present at the browser. This parameter defaults to online.
If your application needs to refresh access tokens when the user is
not present at the browser, then use offline. This will result in your
application obtaining a refresh token the first time your application
exchanges an authorization code for a user.
You later use this refresh token to obtain a new access token, once the current access token expires. Basically, your app would then hit the token exchange endpoint (POST to https://accounts.google.com/o/oauth2/token) with the refresh token and your client credentials - google with then issue a (refresh token + access token) pair to you.
See this link for further clarification.
EDIT - I checked the Service Account documentation and found a sample C# app that fetches and uses refresh tokens too. See it here.I hope this one helps.
I am following this tutorial about OAuth2.0 https://developers.google.com/youtube/v3/guides/authentication
It looks quite clear how OAuth2.0 works. But I have a bit confusion at the access token part.
After obtaining an access token for a user, your application can use
that token to submit authorized API requests on that user's behalf.
The API supports two ways to specify an access token: Specify the
access token as the value of the access_token query parameter:
www.googleapis.com/youtube/v3/videos?access_token=ACCESS_TOKEN
if someone acquired this access token during the url transferring they can access this protected resource right?
How the server know if the request is coming from the client initially requested the access token?
UPDATE:
after reading this post Are HTTPS headers encrypted? my confusion is cleared. I thought query string is not encrypted during transmission in the network.
Generally I think the consensus is that OAuth 2.0 is a server side technology and all access tokens and communication should be transmitted using SSL as the bearer tokens need to be kept as secure as possible.
Also, you need to know that there are 2 types of flows in OAuth 2.0
i) Implicit grant flow - This is the flow where the user logs in to the service provider and his browser gets the access token. Say you have X.com and Log in via Facebook. Once the user keys in his FB credentials, the access token is sent to his browser.
ii) Authorization Code flow - In this flow (consider the above situation again), facebook will pass an authorization code to the user's browser. If anyone, somehow, intercepts the authorization code there is nothing he can do. An authorization code can be exchanged for an access when passed with valid client credentials. So, when the user logs in, his browser gets an authorization code which is passed to your server at X.com. from there you would hit the code-token exchange endpoint provided by FB and get the access token returned to your server!
Authorization code flow adds another layer of security, where the access token is visible only to the client + server and not to the user agent. And as you figured out yourself, the token is passed via HTTPS.