If I create a Personal Access Token for TFS 2018 for 180 days. If I change my Active Directory password, do I need to update the token or is the token good for 180 days? Do tokens have to be recreated If I change my password in AD?
Thanks
No, you don't need to recreate PAT if you change your password in AD. PAT and User/Password are different authentication mechanisms.
Related
Just a quick question to make sure I understand MS graph's refresh token expiry:
If a refresh token is expired (for instance, in some configs after 90 days), is there any way to still get a new refresh token? If not, should the permissions for the apps be configured anew (in other words, should a new connection with MS be made and approved by either user or admin?)
MS graph's is not responsible for the refresh token. The authentication process is handled by Azure AD So, Microsoft Graph simply accepts the tokens Azure AD issues.
I was able to renew /change PAT expires in drop box with 30 days to 1 year from TFS web portal.
But now unable to renew a token created at 11/5/2018. It caused our multiple builds failed.
How to renew this kind of token, did I miss any setting?
Besides, is it able to auto-refresh PAT tokens so CI jobs can run without having to manually refresh tokens ?
This is working as designed. One PAT can only be used for a maximum of one year.
If the PAT created at the beginning is 90 day, when it expires, you
can choose to change to 180 days or 1 year. But if you start in 1 year
and expire soon after one year, you can only add another new token.
We appreciate that idea about having a function to auto-refresh PAT tokens.
However, we don't have an API support for this. And trying to automate PAT generation or extending expiry of a PAT also falls outside of security best practices.
You'll have to manually refresh the PAT each year. We do send you an expiry notification 7 days before the expiry of a PAT.
My expecting requirement was to generate the access token for
pre-configured account
For example,
We will configure the username and password for google account in our own
configuration settings, while upload the file from
our application, we need to generate the access token for those configured
credential . Kindly validate and assist me.
Access tokens are valid only for 1 Hr, Since you have username and password you can use the same to generate access tokens every 1hr but your question is missing lot of important points,
Which OAuth provider are you using google/Azure AD?
Which OAuth flow you are going to use? Password credentials flow something similar
You can use any OAuth providers out there. Refer to this link and choose your scenario https://developers.google.com/identity/protocols/OAuth2
I believe you can either use authorization code grant flow for your scenario
In Authorization grant flow you get both access token and refresh token and refresh token is long live, you can use refresh token to generate new access tokens every hour.
https://developers.google.com/identity/protocols/OAuth2InstalledApp#libraries
In my application I am using OAuth 2 authorization and get access token from access code which expires after 8 hours. Is there any way I can increase this expiry time. Default expiry time I get is 28800(8 hours), I want it to be like for 30 days or 60 days. Is it possible. I know this is possible with Implicit grant flow but if I want to continue with Authorization code grant flow then, Is it possible?
Thanks.
You cannot increase the life of Access token beyond certain limit due to security reasons. These tokens are supposed to be short lived. One thing you can do is allowing issuance of refresh tokens for offline access. So, if access token is expired/about to expire, client (Secure) can talk to Authorization Server and get fresh access token issued.
You won't be able to modify the token itself as it's signed by the STS before being issued to you. If you were to modify the field itself, signature validation would fail when you bear the token. As dvsakgec said, this token is meant to be short lived and the correct pattern is to use the refresh token to obtain fresh access tokens when it has expired. For most identity providers, the refresh token never expires so you can always get a new access token.
Now, some identity providers will allow you to configure the token through their developer tools. It depends on the provider. There is no hard line guide for token expiration, it's whatever the identity provider decides.
I'm testing the use of OAuth2 for MS Office 365 in order to read calendar events, and just read the following in this blog post:
...the refresh token, while long living,
becomes invalid at some point too. One example is if the user changes
their password, refresh tokens become invalid.
From my experience with other OAuth2 providers, the refresh token should not expire when users change their passwords (isn't that one of the main purposes of the token - to allow password independent access?).
Am I missing something? What is the reason behind expiring the refresh tokens when password changes?
A password change may happen after a password breach. Access & refresh tokens may have been issued during the time between the password breach and the detection, these tokens would need to be revoked as well as the password reset. To simplify administration of that - the exact time of the breach may be very hard to detect - all access is revoked and needs to be explicitly re-assigned by the Resource Owner.
Normally users do not change their passwords without a reason. One of the reasons is that user might think his password might have been leaked. In such case it is not clear which of the refresh tokens (logins) are authentic and which are from a possible hacker.