I was checking Token options in TFS 2018 when I realize that If I create a Personal access token I only have a few options for the expiration: 1 year, 180 days or 90 days.
What happens if I choose 1 year? Can I renew it?
Or is it possible to create tokes with an higher duration?
Once a token expires, you have to generate a new one. You cannot extend it. One year is the maximum. If you need an authentication option that is renewable, use an OAuth token.
Related
I have an issue to configuring Redhat Single SigOn (RHSSO) or Keycloak token expiration in seconds, about 30 seconds.
I just found the configuration in minutes. There is a way to adjust it to seconds?
From the Keycloak Admin Console it is not possible; Keycloak allows to specify the access token expiration time in Minutes, Hours or Days, but not in seconds:
Albeit, when one requests a token, the expiration time is display in seconds, namely:
{"access_token":"...","expires_in":60,"...}
The least amount of time that you can set via Admin Console is 1 minute. To be honest, I fail to see what would be the great benefit of having 30 seconds instead of 1 minute.
In the Admin Console, if one tries to specify 0.1 (or 0,1) minutes an error is displayed
Now that being said, it seems that you can use the Rest Full API to get around that restriction. First, request a token on behalf of the admin, extract its access token (let us called $ACCESS_TOKEN). And then call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>
with the following data
'{"accessTokenLifespan":30}'
Now if you request a token for a client on the Realm REALM_NAME you will get the following:
{"access_token":"...","expires_in":30,"...}
30 seconds as expiration time for the access token.
Now, I have not tested this, so it is up to you to find out if everything still works as it should.
Refresh Token for Quickbooks expiring after 2 day
Refresh Token for Quickbooks expiring after 1 day
Yes, every 24 hours the refresh token gets changed.
Reference - https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0#step-5-exchange-authorization-code-for-refresh-and-access-tokens#understand-token-expiration
As per the doc -
Even though the refresh token is valid for 100 days, the value of
refresh token can change every 24-26 hour period. Hence, you might
encounter a situation where the request token that you received first
is different than the latest one. As a best practice, always store the
latest refresh token received from the API response and use that to
make subsequent calls to obtain a new pair of tokens.
We have an OAuth/OIDC service developed in API Connect/Datapower.
When a user requests a new refresh_token - if any unexpected error occurs in the flow, the new refresh_token is not issued, and their existing refresh_token is revoked. This forces the user to go through a new consent flow. This can be problematic if large numbers of customers are affected due to some unexpected error. We would like the old refresh_token to still be valid in this scenario.
We raised this with our IBM support contact - and he said this works as intended (i.e. - it should revoke the old refresh_token as the first action - it is single use, regardless of outcome).
He did suggest that it is possible to configure the refresh_token to be used multiple times until it is revoked/expired.
I am not sure how to do this - or what versions it is supported in. He said '(in 2018.4.1.x)? For v5 gw, use extension to enable it, You will need the latest DP firmware release for the above'. It's been hard to get any clarity on this. The IBM developer forums even directed me to Stack Overflow...
Does anyone have any more information/experience with enabling a refresh_token to be used multiple times? Or what versions this is supported in (or links to any documentation about this)? I'm struggling to find anything concrete on this.
Thanks
I suppose he's talking about the count configuration. it is located just below Enable refresh tokens.
Section 'OAuth 2' -> Tokens -> Enable refresh tokens -> count
Hope this could be helpfull
For IBM API Connect version 2018.4.1, you can specify whether the refresh token for OAuth provider is One time use only or not.
See OAuth native provider>Tokens screen.
After an access token expires, if the option is enabled in the OAuth provider API, the application can use refresh tokens. Each refresh token is valid for approximately 31 days after it is issued and can be used only once to request a new access token. Along with the new access token, a new refresh token is also returned.
Does anyone know what the expiration period of an OAuth Access Token on GitLab is?
It's at least 12 hours (from experience), but I would like to know for sure so I don't refresh the token unnecessary.
PS: GitLab ... it would be very convenient if the expiration is simply returned when getting/refreshing token (PS: the documentation states that "expires_in": is returned ... BUT IT ISN'T)
from https://forum.gitlab.com/t/missing-expires-in-in-the-token-response/1232/2:
Gitlab uses Doorkeeper for oauth.
The Doorkeeper wiki has an ariticle "Customizing Token Expiration" > https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-Token-Expiration2
This wiki tells us a configuration "access_token_expires_in". I > searched in gitlab source code and found it sets to nil.
This meas the 'access_token' will never expire.
Also, this is from https://gitlab.com/gitlab-org/gitlab-foss/-/blob/50d66f5ece57dcfbe074d97703691a8d3c38f4ac/config/initializers/doorkeeper.rb#L42:
# Access token expiration time (default 2 hours).
# If you want to disable expiration, set this to nil.
access_token_expires_in nil
On GitLab, OAuth "access tokens expire in two hours".
Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.
In older versions, OAuth applications could opt-out of access token expiry.
The ability to opt-out of expiring access tokens was deprecated in GitLab 14.3 and removed in 15.0. All existing integrations must be updated to support access token refresh.
2016: It should be 8 hours by default:
lib/gitlab/o_auth/session.rb mentions:
Rails.cache.write("gitlab:#{provider}:#{ticket}",
ticket, expires_in: Gitlab.config.omniauth.cas3.session_duration)
In gitlab.yml, you have:
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
# session_duration: 28800
2022: the Expiring access tokens documentation mentions:
no more opt-out of expiring access tokens since GitLab 15.0 (June 2022)
Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.
I have some questions about the access_token usage on server-side web apps.
How should I keep the access_token valid?
Is it possible to check it before making a request, or should I just try to make a request and renew it if error? Or maybe set up a cronjob that renews all the access_tokens?
The expires_in field, is it seconds? Can an access_token expire before this value?
How should I keep the access_token valid?
You can't. It will expire as sure as eggs is eggs. All you can do is get a replacement.
Is it possible to check it before making a request, or should I just try to make a request and renew it if error?
You can check it by referring to the expiration time(1), or try and catch the 401 exception(2).
Or maybe set up a cronjob that renews all the access_tokens?
Yep (3)
Congratulations, you've won a prize by enumerating all three access token refresh policies :-). As to which one should you use, it depends. You need to decide if speed, user experience, or network bandwidth matter most to you. By far the safest is to catch the 401, and refresh, because that deals with all eventualities. With that in place, you may decide to speed things up by doing a refresh after 3550 seconds.
The expires_in field, is it seconds?
Yes
Can an access_token expire before this value?
Good question. I'm going to say yes, if the user withdraws permission to the app. Otherwise no.