We're using Aws Cognito with Oauth 2.0 and we're wondering, if cognito supports Refresh Token Rotation according to the Oauth 2.0 specification (https://www.rfc-editor.org/rfc/rfc6819):
The basic idea is to change the refresh token value with every refresh request in order to detect attempts to obtain access tokens using old refresh tokens
When we're using the Aws .net sdk to refresh our tokens:
await user.StartWithRefreshTokenAuthAsync(authRequestRefresh).ConfigureAwait(false);
...we're not getting a new refresh token back. The only way to get a new refresh token, is by doing a new login:
await user.StartWithSrpAuthAsync(authRequest).ConfigureAwait(false);
Thanks for your help!
Kind regards,
Peter
Cognito doesn't support refresh token rotation. You can however change the number of days a refresh token stays valid for an app client.
Related
I used B2C and MSAL to configure the SPA certification.
Then, the backend API access token, refresh token, and ID token are obtained from B2C and stored in localstorage.
However, after about an hour I noticed that the access token was disabled.
At this time, I believe I can use a refresh token to update my access token.
I am a beginner and would be grateful if you could give me a sample or something.
Thank you in advance.
MSAL takes care of refresh token for you.
What you should do is always ask a token from MSAL before using one.
If it needs to refresh it using a refresh token, it will just do that behind the scenes.
You can see an example here: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token.
There it shows a general pattern where you first try acquireTokenSilent, and if that fails, use a popup/redirect to get new tokens.
I'm making a function to post to google my business automatically by using Google my business API by javascript and firebase. The access token is obtained by authentication using Google Sign In.
However, the access token has an expiration date, so I have to renew it using a refresh token.
Can I use the "user.refreshToken" shown in the image below as the refresh token to be used in this case?
Thanks in advance.Data retrieved upon sign-in
Yes, you are right. In general, the refresh token in an OAuth2.0 flow can be used to retrieve a new access token, which can then be used again to access resources. The refresh token normally has a much longer expiration date than the access token hence you can implement functionality like "remember me" using the refresh token.
We are using OAuth to get Access Token and Refresh Token. But Access Token is getting expired fast.We need token with long validity.
How can we achieve this?
In Dynamics CRM, Access tokens are expired in 3600sec. But refresh token will not expire. So you need to generate the new
accesstoken using the refresh token.
If you want refer below page, It will useful for you.
https://learn.microsoft.com/en-us/previous-versions/azure/dn645542(v=azure.100)
I am using Google APIs in my application and the oauth2 refresh token expires after 1 hour. I am using this refresh token to execute a task which runs daily. I create the refresh token using the OAuth2 playground. Is there a way to extend the expiration time of a refresh token? (1 month)
I think that you have your terms confused here.
As per Oauth2 access tokens expire after one hour. Access tokens are used to request access of an api and return the data that you need. There is no way to extend the lifetime of an access token beyond one hour. You need to use a refresh token to request a new access token.
Refresh tokens are extremely long lived and do not normally expire. Refresh tokens are used to request a new access token. Refresh tokens for the most part do not expire if one is not used in six months though google will automatically expire it. Also if the user removes your access then the refresh token will also automatically expire.
If you are creating your refresh token using the Outh2 playground which is intended only for testing purposes it will also expire.
If you are using the oauth2 playground to create your refresh token then you should not be doing this you should be creating your own application to request the tokens.
As already explained the refresh tokens created using the OAuth 2.0 Playground are automatically revoked after a few hours because the playground is mainly for testing purposes. However you can configure the OAuth playground to use your own app credentials (use the 'wheely' icon top right). If you use your own app credentials the refresh token will not be revoked.
That said it looks like you want to run a background service that accesses Google APIs. For this you may want to use a Service Account if you are not accessing a specific user's data.
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.