Current OAuth2.0 accesstoken is dynamic and generated for every 3396 seconds. I am using few APIs which needs this token to be used as header. Is there any way to create a permanent static accesstoken and store it somewhere so that I don't need to dynamically create one everytime.
Can you use session storage? Check out the session storage live times, ie, when does session storage reset.
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
The Access Token is short lived by design. You have three options:-
Create a Refresh Token
Silently obtain a new access token each hour
Use a Service Account
which option is best for you depends on the architecture of your app.
Related
To my understanding, it can create a short live access token. But does it have a single use access token that is similar to what the Authorization code is?
What is the best approach in doing it? I have thought about using refresh token, but that is still short live, not single(one-time use).
OR can it do it this way:
App1 needs to get an access token from IS4 to call App2, but that token can be used once only. Can the IS4 keep something in the state and App2 needs to call the introspection endpoint of IS4 (rather than local validation of the JWT) and the IS4 checks its state and allow it once?
Thanks in advance.
You can configure IdentityServer to put a unique value (the jti claim) into an access token. That's a client setting.
This can be used to maintain a replay cache at the API to reject token that are used more than once. The token lifetime helps to trim the cache.
How I can enable multi resource support in iOS using ADAL.Searched in so many sites, but finding it difficult to understand the flow with multiple resources, with Refresh Token and Access Token.Can anyone explain this flow briefly please?
According to library, ADTokenCacheStoreItem will have accessToken will be nil, in case the item stores multi-resource refresh token.But whenever I will call acquireTokenWithResource:clientId:redirectUri: I am getting both access token and refresh token.How I can tell the library that mine is multi source request.Is there any settings I need to do?
/*! The access token received. Should be nil, in case the item stores multi-resource refresh token. /
#property NSString accessToken;
And also , do I need to call the acquireTokenWithResource:clientId:redirectUri every time before calling each API with or without different end points.Or is it my responsibility to cache/store the access token and expiry date for each resource?
Also how I can handle silent login in multi resource case?
With ADAL, you simply need to call some form of acquireToken* each time your application needs an access token, presumable to make an API call. ADAL should take care of token caching, refreshing, etc for you. You shouldn't ever have to manually use refresh tokens.
Refresh tokens from Azure AD are inherently "multi-resource". That is, you can ask for an access token to resource 1, receive that access token + refresh token pair, and then use the refresh token to get an access token to resource 2. This allows you to get tokens for different resources "silently", meaning the user only has to sign-in once.
currently I'm developing a gem (in ruby), which needs to access files in google drive. The whole authorization is done by OAuth2.0. Therefore I provide the client_id and client_secret in order to get an access token along with a refresh token. I store both in a database to access them anytime in the future. After 3600 seconds the access token is expired and I need to refresh it using the refresh token. Here comes the tricky part.
Can I get a new access token with a refresh token only? I'm refering to platforms like nimble. I registered once and have access to my files. But I still have access to my files on the next day, which means that they refreshed the access token somehow. Do they store my id and secret or what is the magic behind this? Or do they use SSO? And if so how can I get an access token from SSO?
Thanks for any advices.
Best regards
P.S.: I don't want to store the client id and secret, since these is sensible information, which I don't want to get stolen. Also encrypting it is not an option (so far).
I am using Scribe to access the LinkedIn API. I am saving the Access Token along with the Access Token Secret in the database and use them every time I call the API.
The Access Token is supposed to expire 60 days after it has been generated.
I would like to automatically refresh the access token before it expires. I couldn't find a way to do it programatically without the user intervention.
You are not supposed to be able to refresh the access token without the user's intervention. The system was designed this way in order to protect the user's data from being accessed indefinitely.
Linkedin wants to ensure that you cannot access the user's data unless they are actively using your application. To me, if a user doesn't visit your application within 60 days, it means that they aren't using it, and you should not be able to access that data.
I hope this helps.
#params={:"oauth_token"=>"XXXXXXXXXXX",
:oauth_token_secret=>"XXXXXXXXXXX",
:oauth_expires_in=>"5184000"}
I'm trying to add authentication feature to my application.
The authentication server implements oauth 2.0
I'm not sure how to save the refresh_token. I want to save it to a file, so next time when the application starts and there is a refresh_token available, it can ask for a new access_token. The user won't need to re-login again.
But this doesn't sound secure to me, because if someone copies my file that has the refresh_token to another computer, he can hack into my account.
You are correct with the attack that you describe. Refresh tokens have to be stored securely in order to be used as intended. As I understand, you are building a standalone application. Therefore, you can rely on file system security to prevent a refresh token being copied by an unauthorized user. You may want to use encryption for the refresh token, too, but the key would need to be bound to a user's session at your local machine (otherwise, the user would need to provide it during "sign in" process in order for the application to decrypt the refresh token).
Consider reading the thread from the OAuth WG, that discusses similar problems to the one described and provides some guidance:
https://www.ietf.org/mail-archive/web/oauth/current/msg02292.html
Refresh tokens are used to obtain access (this process requires HTTP Basic Auth). So, unless user has your (id,secret) combination he can't do much about it. However, storage of refresh token must be considered very seriously.
Here's my two cents:
Store your tokens in a DB
Whenever you use refresh token to obtain access token reset the refresh token as well. (Oauth2.0 has this feature, you can let the refresh token unchanged too, but it's wise in terms of security perspective to keep it changing and updating the DB)
Hope this gives some insights!!
You are right about your concern - you should not save the refresh token. By doing so, you jeopardize your client's data (and you know the reason; you wrote it in the question).
oAuth is not supposed to work this way.
You should keep the refresh token in-memory.