I generated a personal access token for QUIP, but it only shows "invalid access token" whenever I run a call using postman. Can I use the personal token to do this? Or do I need another access token from the admin?
Related
I need to get an access token for my server to user without a user having to authenticate.
I do this for DropBox and want to do it for OneDrive.
I have a service that needs to save files in its own OneDrive acct and then also copy some files to users' accts.
For the user we will authenticate with either the Token or Code flow. However, for the server I just want to have access token. In DropBox you get the access token on the App Settings page, but I can't figure out how to do it for Graph
Assuming you're talking about OneDrive Business, it sounds like you want to get an app-only token. Such a token will require a tenant administrator to consent, but after that it can access the service without any user.
If you're talking about OneDrive Personal the scenario isn't possible - all tokens are required to have app and user claims, and therefore require to sign in.
I am trying to get an access token to upload large files as described in the docs.
I am using client credentials grant flow to get access token per the documentation. I got an access token using that flow.
I tried to use that access token with this URI:
/v1.0/users/{userId}/drive/items/{itemId}/createUploadSession
but it gives me an error that "AccessDenied Either scp or roles claim need to be present in the token"
I have granted admin permission for the app. I have tried this flow in both postman and in coding but both give the same error.
Well as Marc pointed out Sites.ReadWrite.All was the only permission i needed, it was just that permission had not been accepted by admin.so the roles were not visible in my access token.Now i am able to call graph api using that access token.
My expecting requirement was to generate the access token for
pre-configured account
For example,
We will configure the username and password for google account in our own
configuration settings, while upload the file from
our application, we need to generate the access token for those configured
credential . Kindly validate and assist me.
Access tokens are valid only for 1 Hr, Since you have username and password you can use the same to generate access tokens every 1hr but your question is missing lot of important points,
Which OAuth provider are you using google/Azure AD?
Which OAuth flow you are going to use? Password credentials flow something similar
You can use any OAuth providers out there. Refer to this link and choose your scenario https://developers.google.com/identity/protocols/OAuth2
I believe you can either use authorization code grant flow for your scenario
In Authorization grant flow you get both access token and refresh token and refresh token is long live, you can use refresh token to generate new access tokens every hour.
https://developers.google.com/identity/protocols/OAuth2InstalledApp#libraries
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
I would like to use the oauth2 token permanently in my website.
Using google API, when the user giving permission to manage their google calendar, I am getting the access token from google API. I want to save it in database and use it for the last long.
But it is getting invalid. I tried to refresh the token using the oauth2 refresh token API. But getting the error as follows.
Array ( [error] => invalid_grant [error_description] => Token has been expired or revoked. )
I don't want the user to give the permission each time when he enters the website.
I would also like the admin need to access the user's calendar using this token or any other way if it is.
How can I achieve this?
Instead trying to get the permanent token, I am using the refresh token option.
When I call the google calendar using tag, I have added the parameter like "access_type=offline" as follows
$login_url = 'https://accounts.google.com/o/oauth2/auth?scope=' . urlencode('https://www.googleapis.com/auth/calendar') . '&redirect_uri=' . CLIENT_REDIRECT_URL . '&response_type=code&client_id=' . CLIENT_ID . '&access_type=offline';
After the user allows, I'll get access_token with refresh_token as response. I am saving those in database. Then everytime, when the user's calendar access by the admin, will get the new access_token using the refresh_token that is stored in the database through the refresh_token api call until the user use the unsynchronize option in my site.
Once the user unsynchronized the calendar, I'll update the database.
Problem is resolved.
Bottom line is you can't get a permanent token - but you can mitigate the need for your user to re-supply credentials.
The solution depends what grant type you are using (which depends largely on whether your application runs on a server or or a end-user's machine). You mention a website so hopefully you use a grant type which returns a refresh code too.
If your app runs on a server and you get a token via the authorisation code grant then you should be able to also get a refresh token when you get an access token. You can use that refresh token to request new refresh/access tokens on a back-channel, without need of your user, or their credentials.
Effectively you should then have long-lived access to your user's google resources providing the user doesn't revoke access.
If you use other grant types, like implicit grant, then you can't get a refresh token. You will need to regularly obtain a new access token. If your user remains logged-in to google on the device your app is running on then they should not be required to supply their google credentials when you request a new access token, so you won't be constantly pestering them for credentials.