I have included the 'extended' scope while generating the authorization URI for oauth code grant flow, but while refreshing the access token, in the response I am getting the scope as 'signature'. How to get the refresh token with extended scope when refreshing the access token. I have attached my code to get the access token from refresh token.
auth_string = "{0}:{1}".format(
DOCUSIGN_CLIENT_ID, DOCUSIGN_CLIENT_SECRET
)
auth_encoded_hash = b64encode(auth_string.encode("utf-8"))
auth_header = auth_encoded_hash.decode("utf-8")
url = "https://account-d.docusign.com/oauth/token"
headers = {
"Authorization": "Basic {0}".format(auth_header),
"Content-Type": "application/x-www-form-urlencoded",
}
body = {"grant_type": "refresh_token", "refresh_token": refresh_token}
_response = requests.post(url, data=body, headers=headers)
response = _response.json() # here I am getting scope as 'signature'
My second follow up question on this, if the refresh token itself get expires while refreshing the access token what would be the error message I will be getting in the response above?
The "extended" scope is needed when you originally consent and get the token from the user so that the refresh token will not expire for 30 days. It is not needed every time you use said refresh token to obtain a new access token.
Error messages for an expired token will typically get an invalid grant error, but the error is subject to change, you should handle all errors and not look for a particular error string.
See Which is the error returned when a DocuSign refresh token is expired? for similar question/answer.
The refresh operation request does not include scopes.
The refresh operation response may include the scopes that were previously requested.
Here is the refresh operation:
curl --location --request POST 'https://account-d.docusign.com/oauth/token' \
--header 'Authorization: Basic 'NWYxZTg4…………...TJkOGI2Yg==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'refresh_token=eyJ0eX…………...Dp_hA' \
--data-urlencode 'grant_type=refresh_token'
If the refresh operation succeeds, then the response contains a new access token and a new refresh token.
Next, throw away the old refresh token and use the newly received refresh token until the next time.
In other words:
the first refresh API call uses the refresh token returned by the Authorization Code grant flow
then each subsequent refresh API call uses the refresh token returned by the prior refresh API call
Blog post about using refresh tokens
Related
When i first authenticate to Salesforce I get an access token and a refresh token. But if the access token has expired i make a call using the refresh token to get a new access token , but in the response there is no new refresh token , is that correct , does the refresh token nver expire for Salesforce .
Here is the call i am making to get a new access token using the refresh call.
var client = new
RestClient("https://myOrg.salesforce.com/services/oauth2/token");
var request = new RestRequest("", Method.POST);
request.AddParameter("refresh_token", {currentRefreshToken},
ParameterType.GetOrPost);
request.AddParameter("grant_type", "refresh_token", ParameterType.GetOrPost);
request.AddParameter("client_id", {clientId}, ParameterType.GetOrPost);
request.AddParameter("client_secret", {clientsecret}, ParameterType.GetOrPost);
var response = client.Execute(request);
I would have expected a new Refresh token in the response ?
What does the documentation say? An Authorization Server does not have to roll refresh tokens. It also doesn't mean that the refresh token does not expire. If the refresh token is a JWT you can decode it and check the expiration time. Otherwise, you can use it for as long as you don't get a 401 response from the refresh endpoint. Once you do, it means that you have to perform the authorization flow once more.
I am making the following curl call:
curl -k -d "grant_type=client_credentials" -H "Authorization: Basic <Encoded ID & Secret>)" https://MyIDPUrl/token
I get a response of:
{
"access_token":"MyAccessTokenHere",
"scope":"am_application_scope default",
"token_type":"Bearer",
"expires_in":3212
}
It all seems fine, except that I am not getting a refresh token. I tried adding &scope=openid to the url, and that added an id_token to the response, but not a refresh token.
How can I get a refresh token with WSO2?
The specification states that client_credentials grant type does not return a refresh token.
It makes sense because the point of a refresh token is to not bother the user to login again. But with client_credentials, you can just go get another access token.
source
Yes for the client_credentials grant type there is no usage of having a refresh token. But if you want to get a refresh token you can allow getting a refresh token by changing a configuration in the identity.xml (IS_Home/repository/conf/identity) In the following section,
<SupportedGrantType>
<GrantTypeName>client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
<IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>
if you change the value of the IsRefreshTokenAllowed to true it should return a refresh token. (You need to restart the server after changing the configuration value). By default it is false as there is no user engagement in this grant type refresh token is not useful.
As #Vaccano said, using client_credentials grant type does not return a refresh token.
Instead you can use Password grant type instead, that does return a refresh token:
curl -k -X POST https://localhost:9443/oauth2/token
-d "grant_type=password&username=Username&password=Password"
-H "Authorization: Basic Base64(consumer-key:consumer-secret)"
Get Access Token request of OAuth1.0 only work once for Magento1.9 after being redirected back from Authorization URL. Next time when requesting for Access Token I get reject_token.
What I noticed there is difference in signature of both objects' signature.
Request 1(successful):
OAuth::Consumer.new(consumer_data)
OAuth::RequestToken.from_hash(some_hash)
request_token.get_access_token(oauth_verifier: 'asdfasdagbadbv')
with signature having
oauth_nonce=\"iIHmN7obLeONSitOxFFZQI71v0k4mAsEFLFen0Lw\",
oauth_signature=\"lwj0n1AK3VJLdaXHIWEOFlYp5qc%3D\"
Request 2(unsuccessful):
OAuth::Consumer.new(consumer_data)
OAuth::RequestToken.from_hash(some_hash)
request_token.get_access_token(oauth_verifier: 'asdfasdagbadbv')
with signature having
oauth_nonce=\"KciY4tiiPDu1u029Nbdu1C325svchfESTYV1l8mvw\",
oauth_signature=\"KciY4tiiPt5Du1u029Nbdu1CzCHzvc%3D\"
This may be or may not be the issue but this is the only difference I found so far in both requests.
Please someone help me in updating oauth_nonce and signature or devise some other solution.
The problem is in the second line.
request_token.get_access_token(oauth_verifier: 'asdfasdfa')
According to Auth documentation request token should be used one time. Request token expires once we use them. You are using expired request token in the second call which causes reject_token 401 unauthorized.
Solution
Actually, request tokens are used to generate Access Token. Access Tokens can be used multiple times. So what you need is to store Access Token somewhere, generated in first request_token.get_access_token(oauth_verifier: 'asdfasdfa') line. Then you can use saved access token in the reset of your API calls. The syntax of using access token is the following:
#consumer = OAuth::Consumer.new(...)
#token = OAuth::Token.new('ACCESS_TOKEN', 'ACCESS_TOKEN_SECRET') // saved access token and secret here
#consumer.request(:post, '/people', #token, {}, #person.to_xml, { 'Content-Type' => 'application/xml' })
im getting unauthorized error when calling https://sandbox-api.uber.com/v1/estimates/price
I'm using Auth0 and can successfully login with scopes profile request and all_trips.
I get the id.token from the result and pass it to client header
_authHeader = new AuthenticationHeaderValue("Bearer", token);
_client.DefaultRequestHeaders.Authorization = _authHeader;
If using a server_token and not an oauth access token the header should be "Authorization: Token ". See the example in the curl guide.
I have a RoR app where I am authenticating against Google using omniauth and google_oauth2 where I am requesting offline access.
How do I use my refresh token to request a current access token? Also, how can I refresh my access token when it no longer works? I don't want to have any user interface in this situation, assuming of course that the authorization hasn't been taken away.
For an example using the Ruby HTTParty gem:
Where #auth is an ActiveRecord record that stores the auth keys for the specific user you are trying to refresh tokens for.
# Refresh auth token from google_oauth2 and then requeue the job.
options = {
body: {
client_id: <YOUR GOOGLE API CLIENT ID HERE>,
client_secret: <YOUR GOOGLE API SECRET KEY HERE>,
refresh_token: #auth.refresh_token,
grant_type: 'refresh_token'
},
headers: {
'Content-Type' => 'application/x-www-form-urlencoded'
}
}
#response = HTTParty.post('https://accounts.google.com/o/oauth2/token', options)
if #response.code == 200
#auth.token = #response.parsed_response['access_token']
#auth.expires_in = DateTime.now + #response.parsed_response['expires_in'].seconds
#auth.save
else
Rails.logger.error("Unable to refresh google_oauth2 authentication token.")
Rails.logger.error("Refresh token response body: #{#response.body}")
end
I don't see anything in google_oauth2 that handles fetching a new access_token with a refresh token, so it looks like you'll need to make the exchange directly.
Google's official OAuth 2.0 documentation explains how to do this at a low level. Within your server-side code, use your favorite HTTP client to construct a request that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET&
refresh_token=REFRESH_TOKEN&
grant_type=refresh_token
where CLIENT_ID and CLIENT_SECRET are the same ones you used for the original authentication and REFRESH_TOKEN is the refresh token from the original authentication flow. If the exchange is successful, you'll receive a fresh access token in a response that looks something like this:
{
"access_token":"1/fFBGRNJru1FQd44AzqT3Zg",
"expires_in":3920,
"token_type":"Bearer",
}
You can follow this process to grab a new access token whenever you need one. You can either use the expires_in value to estimate when you will need a new one, or attempt a refresh whenever your API request responds with a 401 HTTP status.