Is there a OpenIddict Sample with Authorization Code Flow with Refresh Tokens?
I use Velusia sample project as server and add
options.AllowRefreshTokenFlow();
to my .AddServer function. I add "offline_access" scope to my Application. However when I send Authorization code to the server, it doesn't return a refresh token.
I forgot to add offline_access scope to my client code request. When I add it, everything worked as expected.
Related
After users sign in, grant permission, and redirect back to my app. I got something like this
{"state"=>"xxx",
"code"=>"yyyy",
"id_token"=>"zzzz",
"user"=>"{
....
}"}
Which is everything I need to create a user account, but the OAuth flow isn't finished yet. For a normal flow, we would use that code to fetch access token from https://appleid.apple.com/auth/token
https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
My question is, should I do that? It seems to add no value to the current situation.
Basically generate_and_validate_tokens is only if you are using web-based login. If you are using Authenticationservices, then framework handles all the authorisation logic for us. Hence fetching access token from https://appleid.apple.com/auth/token is not required.
Apple is returning id_token directly after user authorization in the call-back response if you request for it, which seems to be your case as well. If you just need users identity to create an account or sign in the user to an associated account on your side, you do not need to fetch access/refresh token by exchange code against the /token api. Just make sure to validate the id_token as mentioned in Verify the Identity token before getting the user details from it.
Exchange of authorization code for access/refresh/ID token will be necessary if you do not request id_token in the initial authorization request and you need users identity to proceed. You can then fetch it as per Retrieve the User’s Information from Apple ID Servers
I have configured my client to use Hybrid flow with a grant type of password and offline. The user is able to generate an access token and the response does include a refresh token.
My question is I do not see documentation on how to use the refresh token for non .Net environments. Specifically I am curious if any body has a sample refresh flow in another language or Postman that shows which endpoints to hit and what the request needs to look like when the user requests a new token via the refresh token.
Thanks in advance,
G
This is documented at http://docs.identityserver.io/en/latest/endpoints/token.html
The token endpoint can be used to programmatically request tokens. It supports the password, authorization_code, client_credentials and refresh_token grant types). Furthermore the token endpoint can be extended to support extension grant types.
Example
POST /connect/token client_id=client1&client_secret=secret& grant_type=refresh_token&refresh_token=hdh922&redirect_uri=https://myapp.com/callback
I have created OAuth 2.0 Playground access tokens using the following info:
Select & Authorize APIs: https://www.googleapis.com/auth/consumersurveys https://www.googleapis.com/auth/userinfo.email
GET https://www.googleapis.com/consumersurveys/v2/surveys
This works (for me it returns a list of surveys I had created previously).
However, when I create access tokens using Postman OR retrieve them from AspNetUserClaims table those access tokens don't work.
Example #1: I get an access token in Postman for Google and add it to the Header (a checkmark appears for Bearer and token). I press Send in Postman and it returns "Invalid_Credentials". In case the token is expired or invalid, I delete it and create a new one to use in the header. Still fails.
POSTMAN info:
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
Client ID: hidden
Client Secret: hidden
Scope: https://www.googleapis.com/auth/userinfo.email
Grant Type: Authorization Code
Request access token locally is checked.
Example #2: I use the Google Sign-On button on my dev site which generates an access token that is then stored in the AspNetuserClaims table. I copy that access token into Postman (a checkmark appears also) and press Send and it also returns "Invalid_Credentials". In case the token is expired, I delete the newly created account and access token from all the AspNet user tables and try it again. Still fails.
Why is this only working with OAuth 2.0 Playground tokens in Postman? They are all newly generated tokens through the Postman token wizard or newly registered user accounts or the OAuth2.0 Playground wizard, but only the OAuth2.0 Playground tokens actually work...
Figured this out.
I believe the issue was that the access token in Postman required more scopes to authenticate me fully, which makes sense since this API contains surveys that I am trying to access, which are also linked to a Google account. This started working only after I added the consumersurveys.readonly scope (using A SPACE) along with the userinfo.email scope, as outlined below.
This SCOPE SETTING alone didn't work:
https://www.googleapis.com/auth/userinfo.email
This SCOPE SETTING with more permission to this API DID work!
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/consumersurveys.readonly
More info on adding scopes to C# code can be found here: http://www.oauthforaspnet.com/providers/google/
Hope this helps anyone else out there who runs into a similar issue.
I have an Authorization server based in Oauth2. Together with the access token an refresh token is sent too.
I can get a resource with the access token and when it expires I request a new one with the refresh token.
However I can get a resource with the refresh token too... is it a typical behavior of Oauth2? I thought this refresh token was only for request new access tokens and not for get protected resources too.
Thanks.
I was getting the same question when i was use Oauth2 implementation in my project. Could you please see this presentation Oauth2! which help a lot what is refresh token , access token when we use both what it does everything it covers and if its same or not also.
I'm interacting with a custom APEX service which obviously require OAuth authentication. I can easily authenticate and authorise my application. Everything works fine.
However, the access token I receive tends to expire.
Of course, I can refresh it by sending a refresh_token. Sounds great.
The problem is I don't receieve a refresh_token in a response from SalesForce.
I do send requests to [instance].salesforce.com/services/oauth2/token, I also tried to using login.salesforce.com/services/oauth2/token, but I cannot find 'refresh_token' in the response. There's everything apart from it there!..
Please check Selected OAuth Scopes section, which is needed to be enabled Perform requests on your behalf at any time in order to get the refresh token.
Сreate > Apps > API (Enable OAuth Settings) > Selected OAuth Scopes.
I've solved the problem thanks to my wonderful colleague.
I should have added 'refresh_token' to the scope when retrieiving an auth code.