I understand that the access-tokens are issued with a short expiration time in OAuth2 implicit flow, so that the application is forced to continually refresh them (using iframes or other means), giving the service a chance to revoke an application’s access if needed.
But what is the ideal expiration time? Should it be around 15 mins/more/less?
Related
I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long.
So I decided for my project:
access-token-lifetime: 1 day
refresh-token-lifetime: 30 days
But what is a typical lifetime of an authorization code?
Am I right that it should be really, really short?
Maybe like 1 hour or even only a few minutes?
I could not find any "best practice" for this..
All of this is standard but configurable i most identity / auth servers.
Authorization code
When the user consents an application accessing their data they are returned an authorization code. This code is only used its normally good for five minutes. anything lower than that would probably cause you issues with clock skew and there is really no reason IMO for it to be longer.
access token
Access tokens are returned after the authorization code has been exchanged. The access token. Access tokens are most often only good for 60 minutes.
Refresh tokens
refresh tokens are long lived tokens. The following are googles standard.
Refresh tokens are good for six months but this time is sliding.
If an refresh token has not been used for six months by an application then the access is revoked.
A user can also revoke the access as well at anytime.
depending upon the scope requested. Some refresh tokens expire after the user has changed their password
Again the above are just google standards. On the identity server I work on at work. I think the current settings is one month of non usage a refresh token expires.
Just found an answer on an other site:
The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds.
Source: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
It depends on the provider. For some providers, it works only once. Once you exchange the authorization code for access and refresh tokens, it will expire and you can't use it the second time.
I'm creating an app that integrates with several 3rd-party Oauth2 providers (think Zapier). The user adds a connection through Oauth2 which gives me a refresh token and access token and which I'm storing in a database.
What is the best practice to keep the access token fresh? Should I be running an async job (e.g. cron) that refreshes the access token every 30 minutes for every connection? If the user doesn't use my app for several days I'd like to still be able to access his 3rd-party data without having him to go through the Oauth2 consent.
What is the best practice to keep the access token fresh? Should I be running an async job (e.g. cron) that refreshes the access token every 30 minutes for every connection?
Not necessarily. Wait till your API call fails. Check for a proper response such as "401 Unauthorized" which hints your access token is invalidated/expired. Once this happens use refresh token to renew the access token. If refresh token fails, then you have to fall back again and ask user to login again.
A refresh token can have a varying life time. It can be from few days to few months. For example check Google's explanation mentioning long lived refresh tokens and possible expiry of them. Also check how Azure AD mention about configurations related to token lifetimes.
So user not using app for few days (ex:- leave it and return after weekend) can be handled through proper validity configurations of tokens lifetimes. But be mindful about threats that could occur from long-lived, unmanaged tokens (ex:- due to token stealing).
The Oauth website has a pretty informative answer
The “expires_in” value is the number of seconds that the access token
will be valid. It’s up to the service you’re using to decide how long
access tokens will be valid, and may depend on the application or the
organization’s own policies. You could use this timestamp to
preemptively refresh your access tokens instead of waiting for a
request with an expired token to fail. Some people like to get a new
access token shortly before the current one will expire in order to
save an HTTP request of an API call failing. While that is a perfectly
fine optimization, it doesn’t stop you from still needing to handle
the case where an API call fails if an access token expires before the
expected time. Access tokens can expire for many reasons, such as the
user revoking an app, or if the authorization server expires all
tokens when a user changes their password.
If you make an API request and the token has expired already, you’ll
get back a response indicating as such. You can check for this
specific error message, and then refresh the token and try the request
again.
TLDR: I would only refresh the token when a request fails
In my application I am using OAuth 2 authorization and get access token from access code which expires after 8 hours. Is there any way I can increase this expiry time. Default expiry time I get is 28800(8 hours), I want it to be like for 30 days or 60 days. Is it possible. I know this is possible with Implicit grant flow but if I want to continue with Authorization code grant flow then, Is it possible?
Thanks.
You cannot increase the life of Access token beyond certain limit due to security reasons. These tokens are supposed to be short lived. One thing you can do is allowing issuance of refresh tokens for offline access. So, if access token is expired/about to expire, client (Secure) can talk to Authorization Server and get fresh access token issued.
You won't be able to modify the token itself as it's signed by the STS before being issued to you. If you were to modify the field itself, signature validation would fail when you bear the token. As dvsakgec said, this token is meant to be short lived and the correct pattern is to use the refresh token to obtain fresh access tokens when it has expired. For most identity providers, the refresh token never expires so you can always get a new access token.
Now, some identity providers will allow you to configure the token through their developer tools. It depends on the provider. There is no hard line guide for token expiration, it's whatever the identity provider decides.
I am creating an Oath 2.0 system on my server allowing users to log into their account on my server from the app without having to give the username and password to the app itself. Which as I understand is the purpose of Oath, and it seems to work pretty well, the system is built on compliance with all Oath 2.0 specifications and is fully functional. But what I don't understand is why I have to have tokens expire... I mean I provide a refresh uri and they can easily at any time and at no cost renew the token (or get a new valid one). I dont see any purpose in this, why not just make the token never expire. I don't see the security benefits or any purpose for that matter for token expiration. Can someone explain to me why I have to have my tokens expire and why they can't just be good indefinitely?
In a word, for more safe.
In your question, you said at no cost renew the token, actually, when you refresh token, you need to authenticate with the authorization server(provide your client credential). So refresh token is not equal with access token. It can not give you the access to resource.
Why have token expire?
As OAuth 2.0 Threat Model and Security Considerations says:
3.1.2. Limited Access Token Lifetime
The protocol parameter "expires_in" allows an authorization server
(based on its policies or on behalf of the end user) to limit the
lifetime of an access token and to pass this information to the
client. This mechanism can be used to issue short-lived tokens to
OAuth clients that the authorization server deems less secure, or
where sending tokens over non-secure channels.
5.1.5.2. Determine Expiration Time
Tokens should generally expire after a reasonable duration. This
complements and strengthens other security measures (such as
signatures) and reduces the impact of all kinds of token leaks.
Depending on the risk associated with token leakage, tokens may
expire after a few minutes (e.g., for payment transactions) or stay
valid for hours (e.g., read access to contacts).
I found another use for it. When I store a token in my database at every login. If someone no longer uses a device or deletes their token (uninstalls an app or clears a cache) for any reason without properly "logging out" (logging out removes it from the database). Then there is a token stored on the database that will never be used again. After a while this becomes cumbersome taking up valuable space on the database and slowing down query executions for unused tokens. With token expirations I can run a cron job to scan the database for expired tokens every 15 minutes or so and remove them. Having to refresh tokens does put some strain on the server and the client but not as much as having potentially millions of unused tokens.
Every time I read https://developers.facebook.com/roadmap/offline-access-removal/, I'm left more confused than the time before. I'm looking for some clarification on some items under scenarios 3 and 4 (server-side apps and client-side apps)
For server-side apps, it states "If the call is made while there is still a valid 60-day access_token for that user, the returned access_token from this second call may be the same or may have changed, but in either case the expiration time will be a fresh 60 days."
What is "the call" that is referred to here?
Is it the same exchange of an authorization code for the access token that takes place during the initial OAuth flow?
Or is it the endpoint call described under the client-side section to freshen the token to 60 days?
If it's the former, then where does the authorization code come from when trying to renew the token?
Is it the same authorization code from the original callback or do I have to go through the authorization flow again?
In short, can a server-side app keep freshening the life of a 60-day token and, if so then how?
Regarding client-side use, the document indicates that the client must make that endpoint call passing in (among other things) the application's client ID and client secret.
My interpretation of "client-side" may be wrong, but I'm thinking in terms of a JavaScript-based client running in a web-browser.
If that's what Facebook has in mind here, then should the JavaScript code really ever know about the client secret? (It won't be much of a secret if it's sent to the client.)
Even then, it indicates that 60-day tokens cannot have their life extended and that a new 2-hour token must first be acquired and used to get a 60-day token. This is under the client-side portion of the document, but does this rule apply to server-side 60-day tokens, too? If not, then I ask again: How do I freshen the life of a 60-day token on the server-side?
Finally, the question that has been burning in my mind for some time: Why has Facebook adopted this strategy and not adopted the refresh token as defined in the OAuth 2 specification (a specification that Facebook is helping define)???
EDIT: Further thoughts/questions after re-reading the document again:
At the beginning it says "a long-lived expiration time that can be renewed each time the user revists your app". My initial assumption is that the way to renew it would be to make a call to the endpoint later in the document. But, aside from the fact that the endpoint is described under the "client-side" heading, it also states "Please note, the endpoint can only be used to extend the short-lived user access_tokens. If you pass an access_token that had a long-lieved expiration time, the endpoint will simply pass that same access_token back to you without altering or extending the expiration time." (The typo on "long-lieved" is from FB's own documentation.)
Okay, so if that endpoint cannot be used to renew the expiration time (and my own attempts to renew a long-lived token with that endpoint prove this out), then how can I renew the expiration time on a long-lived token each time they visit my app?
Is there no one who understands how this is supposed to work?
After reading Facebook's doc (like for the 5th time) and with the help of this question/answer this are my conclusions.
What is "the call" that is referred to here?
It referres to the OAuth call to get an access token.
Is it the same exchange of an authorization code for the access token
that takes place during the initial OAuth flow?
Yes, I believe it's that flow.
Or is it the endpoint call described under the client-side section to
freshen the token to 60 days?
No, that endpoint is only valid for short-lived access tokens.
Is it the same authorization code from the original callback or do I
have to go through the authorization flow again?
You've to go through the authorization flow again.
how can I renew the expiration time on a long-lived token each time
they visit my app?
Long-lived access tokens cannot be renewed using the client side endpoint. The user will have to reauthorize the app to get a new one.
According to Facebook documentation:
If the call (OAuth authorization call) is made while there is still a valid long-lived user
access_token for that user, the returned user access_token from this
second call may be the same or may have changed, but in either case
the expiration time will be set to a long expiration time.
Once the application is reauthorized you'll get a new expiration time. Facebook may return a new long-lived access token, so you should grab it and replace that information for the one you already had.
Conclusion:
Seems there's no way to renew a long-lived access token without user intervention. To get a new expiration time/access token they'll have to reauthorize your app. My humble advice is that should suggest the user to reauthorize it, a few days before the expiration date.
Also, this Facebook how-to can came in handy for checking expired access tokens.