I have implemented a google oauth signup.
I can request the tokens with the code provided when the user clicks login via google.
However, the tokens only include the refresh token the very first time that the user signs up/logs in.
All later attempts to get tokens with the auth code only return an access token, but not a refresh token.
I have to manually revoke the app permission in the user's google settings in order to force a new permission prompt which provides me with a new refresh token.
Is there some way to request a refresh token with the auth code? I.e. not just during the first login.
I found the solution. The refresh token is only sent with the response when the consent screen is shown to the user. This only happens during the first login and once the user grants the permission the screen will not be shown anymore.
However, it is possible to force show the consent screen, which results in the refresh_token being sent.
You can do this by adding
prompt=consent
to the oauth url.
or if you use the php api you can set it like this:
$client->setApprovalPrompt('consent');
Related
The normal flow for OAuth2 as described in this SO reply is as follows:
Send API request with access token
If access token is invalid, try to update it using refresh token
if refresh request passes, update the access token and re-send the initial API request
If refresh request fails, ask user to re-authenticate
This is all well and good for most API calls, but I wonder one thing: Authentication.
When a user attempts to sign in to my fancy new webapp using their favourite service, should I use their refresh token (or cached access token in the case of OAuth1) to attempt a sign in, or should I always go and get a fresh token from the service provider (Google, Facebook, etc) and discard the stored access and refresh tokens?
User authentication and OAuth 2.0 are two different things. The difference is explained in detail in: http://oauth.net/articles/authentication/. Even when building user authentication/SSO protocols on top of OAuth 2.0 - which is what OpenID Connect does and some vendor-specific implementations - the refresh_token still always applies to the access_token not to the user authentication event or identity token.
You can not use a refresh token on its own to refresh a user's login session since some interaction with the user (may be active, may be passive) through the browser is required to confirm that the user is (still) present.
To refresh a user's login session you will always have to redirect to the identity provider and get fresh authentication information. Note that that interaction will probably also give you a new refresh token that could be used to refresh the access token.
I have a website where people can post blogs. I want the blogs to be automaticly posted to a Linkedin account connected to the website. So the person posting the blog is not the owner of the linkedin account.
I use the Sharing API from LinkedIN to do this, but this requires the administrator of the linkedin account to refresh the Oauth token every 60 days. I know this is a security thing to prevent illegal use of accounts. But in this case its always my own linkedIN account. Is there a way around this? mabe by using the app key and secret instead of the acces token?
The LinkedIn API docs (https://developer.linkedin.com/documents/handling-errors-invalid-tokens) say:
In the case the access token is already expired, your application will
go through the same authorization flow as previously described.
However, the login dialog will be shown to the user as they will need
to grant access to your application again.
so there's no way around that. But what you could do is go through this flow before the access token has expired. The docs say:
Simply have your application go through the authorization flow in
order to fetch a new access token with an additional 60 day life span.
When the following conditions exist:
User is still logged into Linkedin.com The current access token isn't
expired (within the 60 life span) We will automatically redirect the
user back to your redirect_uri without requiring them to reauthorize
your application. If they don't exist, we'll prompt them to login and
then redirect them.
I'm working on an iOS app which uses login via linkedin. I'm using a web view for the user to login and getting the token from linkedin. If i understand it correct, The token which i received is valid for short period and hence i need to make a call to linkedin with the existing token to get a new token with the extended period. Can you please let me know what api I should call to refresh the token to get the new token with the extended validity?
I'm currently using https://github.com/jeyben/IOSLinkedInAPI
According to LinkedIn there is no direct API to call to refresh a OAuth 2 token. What's supposed to happen is if:
The user is logged into LinkedIn
They have a current (less than 60 days old) token
pointing them to the authentication url will trigger a refresh of their token, without needing the user to log in.
In using the iOSLinkedInAPI library, this didn't seem to be the case.
What I figured out was, the authentication flow wasn't generating a login session cookie from LinkedIn in the iOS simulator or on a device, so requirement 1 was never being met.
You need to have the user login through the regular LinkedIn login page, and this gets you that session cookie, which you can cache. After you send the user to authenticate your app, you can load that cached cookie into the NSHTTPCookieStorage sharedHTTPCookieStorage each time you want to call the authentication URL to refresh the user's token.
I created a helper class with an example if you want to check that out:
iOSLinkedInTokenAuthorizer
I am trying to get access tokens from OAuth.io for any Google based provider however whenever I authenticate I get an access_token but no refresh_token. I have chosen offline for the access_type but still no joy.
I have tried looking through the documentation for a solution but it barely covers anything related to the refresh token.
To get the refresh token from Google, you need 2 things:
The offline option
cf https://developers.google.com/accounts/docs/OAuth2WebServer
"A token that may be used to obtain a new access token. Refresh tokens are valid until the user revokes access. This field is only present if access_type=offline is included in the authorization code request."
The option approval_prompt set to "force"
cf https://developers.google.com/accounts/docs/OAuth2WebServer
"Important: When your application receives a refresh token, it is important to store that refresh token for future use. If your application loses the refresh token, it will have to re-prompt the user for consent before obtaining another refresh token. If you need to re-prompt the user for consent, include the approval_prompt parameter in the authorization code request, and set the value to force."
so your script should look something like
OAuth.popup('google', {
authorize: {
approval_prompt: 'force'
}
}).then(function(google) {
console.log(google.refresh_token)
//send the refresh token to your server
})
If you are working client-side (Javascript / iOS / Android / Phonegap), you may also need to activate the following option: Send refresh token to front-end in the OAuth.io dashboard > General > advanced option to allow your client side SDK to retrieve the refresh token
https://jsfiddle.net/Lqyc5jpw/
I'm using oauth2 on a web server and the flow works flawlessly (https://developers.google.com/accounts/docs/OAuth2WebServer).
However, I have some situations in which I need to re-acquire a refresh_token (let's say for example that the refresh_token has been "lost").
In this case when I go through stages 1&2 again I only get an access_token and not a refresh_token.
If the user revokes permission through his google account console and goes through stages 1&2 again I will get a new refresh_token.
Is this known oauth2 behavior? is there a way to force a new refresh_token or getting the same one again?
From https://developers.google.com/accounts/docs/OAuth2WebServer:
Important: When your application receives a refresh token, it is important to store that refresh token for future use. If your application loses the refresh token, it will have to re-prompt the user for consent before obtaining another refresh token. If you need to re-prompt the user for consent, include the approval_prompt parameter in the authorization code request, and set the value to force.
Butter Answer is here. You have to add parameter approval_prompt=force in your post request for token.