Case Scenario :
Suppose a user logs into a third party website using google Oauth. By default the google access token has the expiry time of about 3600 seconds.
If , after logging into the third party website
User deletes/inactivates the gmail account.
User removes the consent given to the third party app in gmail.
In the above cases does the access token get expired ?
In the above cases does the refresh token get expired?
Does the below link give the actual information about the access token in any one the above scenario.
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
Suppose a user logs into a third party website using google Oauth.
Oauth2 is not for sign in (authencation) it is for authorization. So a user would not login to a third party website using oauth2 they would login to a third party website using their google account and open id connect.
By default the google access token has the expiry time of about 3600 seconds.
Industry standard for Oauth2 stats that an access token would expire after an hour or 3600 seconds.
In the above cases does the access token get expired ?
No access tokens are self contained bearer tokens. They will work until they expire in this case an hour. There is no additional validation on them it is assumed that the bearer of said token has access to the data for an hour. Yes even if they delete the access.
In the above cases does the refresh token get expired?
if the user revokes your access via their google account. All outstanding refresh tokens are removed immediately they will no longer work.
Does the below link give the actual information about the access token in any one the above scenario.
The UserInfo endpoint (is a standard endpoint) which can be used to retrieve identity information about a user who has authorized the application.
information returned can vary by server but it is most often. Username, profile name, can contain email address and birthdate.
The end point will return the info as long as the access token has not expired.
Related
I'm following this article to understand refesh tokens.
In my case I have to connect to REST api using grant_type=password, and I receive a token with a 5 minute lifespan. So every 5 minutes I have to issue a POST request passing client-id, username & password to get a new acces token.
The other option would be to issue a POST with a grant_type=refresh_token, without having to send the username & password. In my case I'm consuming an api, so passing the credentials doesn't involve any action from the final user. For me it's just to params more to send on the POST request.
In both cases, I have to issue a new post every 5 minutes.
Is that the only advantage (not needing to pass credentials again) of using the reresh token or is there any other thing I'm missing?
Background info
OAuth 2.0 Password Grant
The Password grant type is a way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
OAuth 2.0 Refresh Token
The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired.
This allows clients to continue to have a valid access token without further interaction with the user.
Consider this.
Lets say that i add my login and password for my twitter account to your application and you then use that to request access from twitter to may account to post. Three months later i have forgotten i have set your awesome app up to do something on my twitter account and i change my password. Your system will break.
Now lets say i used Oauth2 to grant you access to my Google drive account, your awesome app can now do what ever it needs to do on my drive account. Now three months latter i have again forgotten i gave your awesome app access, I have the memory of a gold fish you see. I change my password. Nothing happens your awesome app still has access.
Now consider this, With oauth2 i can grant you access to only read from my google drive account not update it (scope). That and the system knows its not actually me preforming the actions.
With client login (login and password) most of the time it appears to the system that it is the actually owner of the account making the requests. You can also not limit access with client login for the most part you have full access.
note
yes i am ignoring the part about both tokens returned being the expiration time time. Thats because for all intensive purposes they are the same but that depends greatly on how the auth server you are using is set up. They could be set up to only be valid for an hour or a day. They may give you different access scopes, again this differs greatly from auth server to auth server.
My skill requires Account Linking which will authenticate customers with an AWS cognito user pool through OAuth 2.0 Protocol.
I can specify in the user pool the TTL of the refresh token, which I decided to have it valid for 60 days.
From what I understand, alexa sends you the access token along with each request that your skill receives so you can identify customers using the skill. If their access token expires alexa would handle this by refreshing their token before forwarding the request with the access token to you. So you can have a valid access token.
Now, what happens when the refresh token expires? and does it expire after 60 days even if the customer is using the skill on daily basis? I guess what I'm asking is:
When the access token expires and alexa refreshes it. Does the refresh token also get refreshed?
If yes, how do we keep the customer signed in and their account linked when the refresh token expires after 60 days?
I think you can find the answers in the documentation.
Verify that the token is valid
If the accessToken exists, verify that it identifies a user in your resource server. The token could become invalid for multiple reasons, for example:
The user deleted or canceled their account with your service. For example, an Alexa user might have set up account linking with Ride Hailer, then later canceled their Ride Hailer account. At this point, the token stored by the Alexa service would identify a non-existent user.
The token has expired, and the Alexa service was unable to obtain a new token. This can occur with an authorization code grant if your authorization server does not provide refresh tokens. This can also occur if you use an implicit grant, which does not support refresh tokens.
If the token is valid, handle the request normally. You can use the token to access data from your resource server as needed. In the Ride Hailer example, the skill would retrieve profile and payment information for the user from the Ride Hailer service, order a car, and return a confirmation to the user. See Return a Response for details.
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The offline_access scope gives your app access to resources on behalf
of the user for an extended time. On the work account consent page,
this scope appears as the "Access your data anytime" permission. On
the personal Microsoft account consent page, it appears as the "Access
your info anytime" permission. When a user approves the offline_access
scope, your app can receive refresh tokens from the v2.0 token
endpoint. Refresh tokens are long-lived. Your app can get new access
tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
I tried to add YouTube Video from the third party and After one day, I got the success in doing so. But While uploading a video the access token is required and in order to get that access token the user must be logged in. And the expiration time for that access token is 3600 seconds( 1 hr).
Now, There are some of my questions regarding this.
Is there anyway, by which I can refresh access token.
If some one has G Suite account, then Is there any special values for expiration time, or it remains the same?
As per the documentation, I can have maximum 50 tokens, So is there any alternative for it, So that I can get valid token after 50 requests.
To answer your question for number 1, you can check the documentation here.
Access tokens periodically expire. You can refresh an access token
without prompting the user for permission (including when the user is
not present) if you requested offline access to the scopes associated
with the token.
If you use a Google API Client Library, the client object refreshes the access token as needed as long as you configure that
object for offline access.
If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the
user to Google's OAuth 2.0 server. In that case, Google's
authorization server returns a refresh token when you exchange an
authorization code for an access token. Then, if the access token
expires (or at any other time), you can use a refresh token to obtain
a new access token.
Requesting offline access is a requirement for any application that
needs to access a Google API when the user is not present. For
example, an app that performs backup services or executes actions at
predetermined times needs to be able to refresh its access token when
the user is not present. The default style of access is called online.
About the G Suite account, it was stated 24 Hours in the documentation. Note:
In this SO post answer, the function of Access Token and Refresh Token was discussed.
I am not sure if there are ways to alter the limits because of security reasons.
To clearly differentiate these two tokens and avoid getting mixed up,
here are their functions given in The OAuth 2.0 Authorization
Framework:
Access Tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The
client uses the access token to access the protected resources hosted
by the resource server.
Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server
and are used to obtain a new access token when the current access
token becomes invalid or expires, or to obtain additional access
tokens with identical or narrower scope.
In OAuth1.0,the access_token and the access_secret is unique for every user in the third party system(like facebook).so when i login by Facebook,it returns me the access_token and access_secret,i can register a user in my site and login.
In OAuth 2.0,it only returns access_token,and expires time.and the access_token may expire after several days. how to identify a person?(or must i request it's api to save the uid of facebook to reach this goal)?
Keeping track of users is completely in your responsibility and not part of OAuth. OAuth just specifies how you can get access using an Access Token to a provider API.
So yes, you have to fetch the user info from Facebook to get the unique ID. ;)