Just a quick question to make sure I understand MS graph's refresh token expiry:
If a refresh token is expired (for instance, in some configs after 90 days), is there any way to still get a new refresh token? If not, should the permissions for the apps be configured anew (in other words, should a new connection with MS be made and approved by either user or admin?)
MS graph's is not responsible for the refresh token. The authentication process is handled by Azure AD So, Microsoft Graph simply accepts the tokens Azure AD issues.
Related
I use Azure Cost Management connector to retrieve data directly info Power Bi. There is an authentication process which based on personal account generate OAuth token (automatically). Token is valid only 1hour. Am I able to have longer expiration time? I've added new policy but it's only for service principal, not for personal account.
Approach 1
By default, the Expiration token is available for 1 hour or 60-75 minutes max depending on the reliability of service, and you cannot increase the access token session lifetime for User Accounts, As Access token lifetime policies can only be applied to Service principal and not User Account, Also It’s a not a recommended practice to increase the User Session to avoid malicious activity. Please refer this document: https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-a-policy-for-web-sign-in
“This can be set for all apps in your organization or for a specific service principal. They can also be set for multi-organizations (multi-tenant application).”
Approach 2
Instead of increasing the access token expiry, you can refresh the access token before its expiration time.
Method 1:
You can set one custom function to create a refresh token and get the access token in response for your user accounts like the answer provided in this Power BI forum - [https://community.powerbi.com/t5/Power-Query/Channel-Advisor-API-Connection-with-auth-key-creation/td-p/2208091]
nd then use the response token to access Azure billing data in Power BI.
Method 2:
The Access tokens are either Azure AD token for organizational users or Embed token that can be sent to your customers accessing your data. As you are using Azure AD token, you can refresh the Token by below methods:
Directly via setAccessToken API
await report.setAccessToken (newAccessToken)
Manually via getNewUserAccessToken().
This Function will call the application at backend and will generate and refresh the access token.
Automatically by setting an Event hook in your embedding configuration and calling the event hook to generate new token before the expiration time of the current token set accessTokenProvider function parameter in the embed configuration. Once the token is close to expiry it embeds config calls the accesstokenProvider and gets the new token.
Is there anyway to get a permanent oauth2 token for Google Sheet API or a semi permanent ?
The one I'm using right now expires once every 7 days which is not very helpful.
If not, is there any alternative for an online spreadsheet application that you can connect with python ?
This depends upon what you are doing if you are accessing a sheet that you own personally then you could use a service account. Service accounts are preauthorized and will not expire.
If you are access sheets that are owned by your users then you will need to use Oauth2. If you request off line access then you will get what is called a refresh token. Refresh tokens can be used to request new access tokens when the access token expires.
As you say that the token is expire after seven days implies that you are using an a refresh token currently. However you have not set your project in google cloud platform to production. As it is still in testing your refreshtoken will expire after seven days.
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
How to switch to production.
Go to Google cloud console for your project
Find the Oauth consent screen on the left.
Click got to production
I tried to add YouTube Video from the third party and After one day, I got the success in doing so. But While uploading a video the access token is required and in order to get that access token the user must be logged in. And the expiration time for that access token is 3600 seconds( 1 hr).
Now, There are some of my questions regarding this.
Is there anyway, by which I can refresh access token.
If some one has G Suite account, then Is there any special values for expiration time, or it remains the same?
As per the documentation, I can have maximum 50 tokens, So is there any alternative for it, So that I can get valid token after 50 requests.
To answer your question for number 1, you can check the documentation here.
Access tokens periodically expire. You can refresh an access token
without prompting the user for permission (including when the user is
not present) if you requested offline access to the scopes associated
with the token.
If you use a Google API Client Library, the client object refreshes the access token as needed as long as you configure that
object for offline access.
If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the
user to Google's OAuth 2.0 server. In that case, Google's
authorization server returns a refresh token when you exchange an
authorization code for an access token. Then, if the access token
expires (or at any other time), you can use a refresh token to obtain
a new access token.
Requesting offline access is a requirement for any application that
needs to access a Google API when the user is not present. For
example, an app that performs backup services or executes actions at
predetermined times needs to be able to refresh its access token when
the user is not present. The default style of access is called online.
About the G Suite account, it was stated 24 Hours in the documentation. Note:
In this SO post answer, the function of Access Token and Refresh Token was discussed.
I am not sure if there are ways to alter the limits because of security reasons.
To clearly differentiate these two tokens and avoid getting mixed up,
here are their functions given in The OAuth 2.0 Authorization
Framework:
Access Tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The
client uses the access token to access the protected resources hosted
by the resource server.
Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server
and are used to obtain a new access token when the current access
token becomes invalid or expires, or to obtain additional access
tokens with identical or narrower scope.
I have implemented openid connect authentication using azure active directory in my website. The session expires every 1 hour. So the user is logged out, and redirected back to the login page. While analyzing based on it, i have found a solution in the below link, to use UseTokenLifetime = false
https://github.com/aspnet/Security/issues/147
Will this fix my issue? or is there any chance of increasing the session time?
Thanks in advance
Dinesh
Read here to learn more about Configurable Token Lifetime
In general, access tokens have a very short lifetime. This is intentional. Your web application should be using the refresh token which comes with your access token to acquire new access tokens once the original one expires.
When you get an access token and refresh token (assuming all default settings), the access token will last up to one hour. The refresh token will allow you to get a new access token + refresh token pair for up to 14 days. The new refresh token you get will last another 14 days, allowing you to chain new access tokens up to a total of 90 days, where you will need to eventually ask the user to sign in again.
You have the ability to configure token lifetimes such that your "refresh token chain" will never expire, however any individual access token or refresh token will eventually expire.
I am using Google Drive API(C#) with service account as mentioned in
https://developers.google.com/drive/delegation
I am able to work with DriveService object, but after 1 hr, it errors out with exception: "The remote server returned an error: (401) Unauthorized."
I know, by setting "access_type" to "offline" we could solve this problem, but I am not able to set this property for DriveService object.
Does anyone know how to refresh this Google Drive Service object?
Thanks in advance
Service accounts come with a private key - and that's their moral equivalent/superset of the refresh token that is returned as a result of a user-driven consent flow.
When a user consents to offline access (via a web server or similar OAuth flow) a refresh token is returned that can be swapped (along with the client secret) at any time for an access token.
In the same manner a service account private key can be used to sign an assertion that can also be swapped for an access token - that's useful for cases where no user is present to accept a consent screen, or where you are performing work on behalf of other users in your organization.
Once you get an access token it is treated in the same way - and is expected to expire after 1 hour, at which time a new access token will need to be requested, which for a service account means creating and signing a new assertion.
Generally noticing that the access token is expired and requesting a new one is taken care of for you by the Google client libraries - although I'm not familiar with the C# version. If you could share your code that creates the DriveService object that would be helpful.
When you set offline access mode, your app gets a refresh token when the user logs in for the first time.
access_type ::
Indicates if your application needs to access a Google API when the
user is not present at the browser. This parameter defaults to online.
If your application needs to refresh access tokens when the user is
not present at the browser, then use offline. This will result in your
application obtaining a refresh token the first time your application
exchanges an authorization code for a user.
You later use this refresh token to obtain a new access token, once the current access token expires. Basically, your app would then hit the token exchange endpoint (POST to https://accounts.google.com/o/oauth2/token) with the refresh token and your client credentials - google with then issue a (refresh token + access token) pair to you.
See this link for further clarification.
EDIT - I checked the Service Account documentation and found a sample C# app that fetches and uses refresh tokens too. See it here.I hope this one helps.