How can you force expire a salesforce access token? - oauth-2.0

I'm building a web app and using OAuth2 to authenticate. For testing purposes, I would like to test what happens when the access token expires and the refresh token is needed to re-authenticate. Since the salesforce oauth token does not contain an "expiry date" parameter, how would i forcefully expire the salesforce access token.
This is what is returned when a token is requested.
{
"oauth_token": {
"access_token": "<access token>",
"id": "https://login.salesforce.com/id/00DG0000000imtwMAA/005G0000001CFgeIAG",
"id_token": "<id token>",
"instance_url": "https://na47.salesforce.com",
"issued_at": "1522400000",
"refresh_token": "<refresh token>",
"scope": [
"refresh_token",
"full"
],
"signature": "<signature>",
"token_type": "Bearer"
}
}

If you want to do it manually, you can go to Setup > Security Controls > Session Management, then select the session from the list and remove it. Alternatively, if you need to do it programmatically, you could query and delete these records, which are stored in the AuthSession object.
Once you've done that, your access token will be expired, and attempts to use it will produce:
[ {
"message" : "Session expired or invalid",
"errorCode" : "INVALID_SESSION_ID"
} ]
Your refresh token will still be valid though, and you can use it to request a new access token.

Related

AcquireTokenForClient does not return a refresh token?

We are not receiving the refresh_token when requesting the token despite the documentation says that always you request a token you will receive a refresh token.
Might be accidentally missing/misunderstanding something ?
This is a piece of the code we are using:
var app = ConfidentialClientApplicationBuilder.Create("...")
.WithAuthority(AzureCloudInstance.AzurePublic, "...")
.WithClientSecret(CLIENTSECRET)
.Build();
AuthenticationResult result = await app.AcquireTokenForClient(ewsScopes)
.ExecuteAsync();
And here is the reference to the documentation that we are basing our expectation on:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens
Refresh tokens
When a client acquires an access token to access a protected resource, the client also receives a refresh token.
You are using Client Credentials flow here in your code here to acquire the token.
See here for documentation - IConfidentialClientApplication.AcquireTokenForClient(IEnumerable) Method
AuthenticationResult result = await app.AcquireTokenForClient(ewsScopes)
.ExecuteAsync();
Read here about the Client Credentials flow in more detail, and specifically what a successful response looks like in this case, which is only expected to have an access_token and no refresh_token.
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
A different flow, like Authorization Code flow (usually used by web apps) returns back an access_token as well as a refresh_token.
You can read more about that flow and a response in that case here - Authorization Code Flow
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}

In OAuth2, when the refresh token request is executed to retrieve a new access token, are the previous Access Tokens invalidated?

Steps.
1. GET https://<canvas-install-url>/login/oauth2/auth?client_id=XXX&response_type=code&redirect_uri=https://example.com/oauth_complete&state=YYY&scope=<value_1>%20<value_2>%20<value_n>
2. POST /login/oauth2/token [grant_type=authorization_code]
Response:
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"token_type": "Bearer",
"user": {"id":42, "name": "Jimi Hendrix"},
"refresh_token": "tIh2YBWGiC0GgGRglT9Ylwv2MnTvy8csfGyfK2PqZmkFYYqYZ0wui4tzI7uBwnN2",
"expires_in": 3600
}
3. POST /login/oauth2/token [grant_type=refresh_token]
Response:
{
"access_token": "new_1/fFAGRNJru1FTz70BzhT3Zg",
"token_type": "Bearer",
"user": {"id":42, "name": "Jimi Hendrix"},
"refresh_token": "tIh2YBWGiC0GgGRglT9Ylwv2MnTvy8csfGyfK2PqZmkFYYqYZ0wui4tzI7uBwnN2",
"expires_in": 3600
}
From step 2:
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg" - using this token returns an invalid access token error
From step 3:
"access_token": "new_1/fFAGRNJru1FTz70BzhT3Zg_new" - works!
My question is,
Is this the expected behaviour?
or
Should the access token from step 2 be valid until it expires(3600s)?
No When you use the refresh token and refresh it will generate a new access token and attach to the refresh token. Old access tokens will no longer work after that.
Expires in is a maximum TTL of the access token after which refresh is compulsory but there is no minimum threshold for refreshing an access token.
(I wanted to respond to your comment in shazin's answer. But I have no reputation :( )
AFAIK The old access token is invalidated when the refresh token is used to get a new access token.
I briefly looked at the OAuth2 Spec but could not find anything saying that the old access token is invalidated when the refresh token is used. Perhaps because it is assumed the refresh token is only used when the access token is invalid.
Anyway perhaps these 2 references from the spec will help.
Refresh token
Refreshing an Access Token

Access Token contains almost all information from Identity Token

The tokens below are returned upon initial token request with Azure AD B2C. access_token contains most information that id_token contains.
My questions are that:
1 Since access_token contains most information that id_token contains, what scenario can access_token be used in place of id_token? what scenario must id_token be used instead of access_token?
2 What are the rules regarding use of both access_token and id_token in general?
Result upon initial token request
{
"access_token": "access_token",
"token_type": "Bearer",
"expires_in": "3600",
"refresh_token": "refresh_token",
"id_token": "id_token"
}
Below is the decoded token for the respective token:
Please note that access_token contains most information from id_token, including user information.
access_token
{
"iss": "url",
"exp": 1550539339,
"nbf": 1550535739,
"aud": "audience ",
"idp": "LocalAccount",
"sub": "guid",
"name": "user#email.com",
"emails": [
"user#email.com"
],
"tfp": "B2C_1_ROPC_Auth",
"ver": "1.0",
"iat": 1550535739,
"azp": "guid"
}
id_token
{
"iss": "url",
"exp": 1550539339,
"nbf": 1550535739,
"aud": "audience ",
"idp": "LocalAccount",
"sub": "guid",
"name": "user#email.com",
"emails": [
"user#email.com"
],
"tfp": "B2C_1_ROPC_Auth",
"ver": "1.0",
"iat": 1550535739,
"auth_time": 1550535739,
"at_hash": "access_token hash"
}
Update
Further to question 1 above:
Since access_token contains most information that id_token contains, can access_token be used instead of id_token? That is, when id_token must be used instead of access_token?
I will take google as a example,
1) let say you want to implement social login where u mostly need fields like email, 'first_name', 'last_name'., these fields are mostly available in id_token. so id_token is perfect suitable for authentication.
2) later u need to fetch google contacts of the login user., In such scenarios u can't get contacts of the user in id_token. this is where access_token comes, though u won't have the contacts in access_token but all permission to fetch the contacts.
An ID token is intended for authentication. It is represented as a JSON Web Token (JWT) that contains claims about an authentication event including the identity information for a resource owner. The ID token is intended for a client application (a single-page app) and its aud (audience) claim contains the OAuth 2.0 client_id of the client application.
An access token is intended for access by clients to resources that are owned by a resource owner. It is represented as either a JWT (e.g. Azure AD B2C represents an access token as a JWT) or an opaque token. The access token is intended for a resource application (e.g. an API app) and its aud claim contains the OAuth 2.0 client_id of the resource application.

What should i do with google oauth response?

So, i've got this response from google upon authentication:
{
"user": {
"id": "116807551237969746774",
"email": "123456#gmail.com",
"verified_email": true,
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"picture": "https:\/\/lh3.googleusercontent.com\/-XdUIqdMkCWA\/AAAAAAAAAAI\/AAAAAAAAAAA\/4252ldubv5M\/photo.jpg",
"locale": "en"
},
"credentials": {
"access_token": "ya29.GlsSBIA_hMKZIDE_wqJAJS0vrHD_Wd2HfwRTTvLISv0i1uFICCqz4JdEZcL09mFFlGdt71D9pW80SLShHgyeSOZgnWcL5piL5m0jYo1TMU6o0fDLnqGAWm6BY-Wl",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1\/az_TmhPRaYG5NDH6L9gBeNo6STOD9EbTt1VkkBmp3IQ",
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjBlNmExN2I2YjU4MGIzNTFmMGQ5YmEzMzY2YTU0Y2U1NmViOWIxN2UifQ.eyJhenAiOiIxMDAzMjk3NzQ4MDc1LWsxdml0OGMxMHJ1ZnM4cjZpYmZyYmxlZmJhamFoZmllLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXVkIjoiMTAwMzI5Nzc0ODA3NS1rMXZpdDhjMTBydWZzOHI2aWJmcmJsZWZiYWphaGZpZS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInN1YiI6IjExNjgwNzU1MTIzNzk2OTc0Njc3NCIsImVtYWlsIjoiNzA0MzA2N0BnbWFpbC5jb20iLCJlbWFpbF84PIXpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IkdrOHFjMTdCcEVGVGZmWkpKbkh6NGciLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE0ODk4MTIxMzksImV4cCI6MTQ4OTgxNTczOSwibmFtZSI6IkFudG9uIEFsZWtzYW5kcm92IiwicGljdHVyZSI6Imh0dHBzOi8vbGg0Lmdvb2dsZXVzZXJjb250ZW50LmNvbS8tTEJuMTlWX1NEN3cvQUFBQUFBQUFBQUkvQUFBQUFBQUFBQUEvQUFvbXZWMTRMVFIycUgtOXJ5S2dScjIxd3A1Z1FZRGNmUS9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiQW50b24iLCJmYW1pbHlfbmFtZSI6IkFsZWtzYW5kcm92IiwibG9jYWxlIjoiZW4ifQ.BHv5BP3ZsagvunfMzGLwmxkBdtoRocPa_PXdq2lrd4D9BoFGkK06eJVbNNbcPOFdAMba3V5lIIG_L499gIy3TTz_PIHBPi6DMSp6uyfkCwf2n-PspZtTbTRlUm5ZvRdAyPEEyLLkWllKkMsRk-Nwp3vhyOLnExzH7SXiEefU4kaXXCpjsHV3GvZ-yhrmNlicEY3TPLwI-tl_lydXTBXRRiPZBGWjHK75hqvQzUktC2Flimd7JnCLhF0FOS3yFKc5D11WPKMOO4YkIQDbBrKY64vyxQAd-Zb2KfvXZi6Dorq7IJF6sK2GAfI3edSaoMZBMa0-x2V7FuFIBLtTgGRnsw"
}
}
I haven't found documentation on what should i do with credentials part of this response? What should i use for user identification? What should be saved as token on client side (ios/android app) in order to revive the session? What does expires_in: 3600 means and what should i do about it? What does token_type: Bearer means and why do i need it? etc.
Thank you, #pinoyyid for clarifications!
The main thing i was looking for is this:
On server side get access_token property from credentials and verify it, using this url
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={your access_token}
Do whatever you want with the rest of the provided data.
Personally, i'll prefer to generate own token, save it on client side and use it to revive user's session (to verify his identity). Once token is lost for whatever reason, user just will go through the whole process again.
what should i do with credentials part of this response?
Rejoice, for you have done the hard part.
What should i use for user identification?
Anything you like, or nothing at all. It depends on your app's use case.
What should be saved as token on client side (ios/android app) in order to revive the session?
The Refresh Token. Note that "revive the session" is wrong terminology. In OAuth/REST, there are no sessions.
What does expires_in: 3600 means and what should i do about it?
It is saying that the Access Token will expire in 1 hour (3600 seconds). What you should do is use the Refresh Token to acquire a new Access Token by POSTing it as described https://developers.google.com/identity/protocols/OAuth2WebServer#offline
What does token_type: Bearer means?
It means the Access Token should be placed in an HTTP Authorization header whenever you try to access a Google API. Eg Authorization: "Bearer aaaaaaa" where aaaaaa is the Access Token.
and why do i need it?
To prove to Google that your app has been given permission to access a Google resource (eg. a file in Drive) by the owner of that resource.

Expiration for Trello OAuth tokens

Our service has a Trello integration, and we use OAuth to authenticate and authorize users. However, we're seeing all of our calls to Trello fail until the service reauthenticates the user. This started with a call to https://api.trello.com/1/lists to post a card, which received a 401 response. Getting a new token (by effectively reauthenticating) solved the problem, so it's not a permissions issue.
This problem initially sounded like a token expiration issue (since expiration=never is evidently supported), but it hasn't happened in the past and we've been using Trello's API for well over a year. Does anyone happen to know Trello's default OAuth token expiration and whether this has changed recently?
Thanks!
If an expiration is not provided in the request, the default value for the OAuth1.0 flow is 30days.
401s can also be caused by a user revoking a Trello token from their accounts page: https://trello.com/my/account.
Additionally, you can check the expiration date of a token via the 1/tokens route: https://trello.com/1/tokens/{tokenValue}?key={TrelloAPIKey}&token={tokenValue}.
An example response to that route looks like this:
{
"id": "a58541ff795dc3d9a124374b",
"identifier": "My Trello Token",
"idMember": "5859bd30f6582fbf01f4a8fc",
"dateCreated": "2016-12-16T16:45:06.810Z",
"dateExpires": null,
"permissions": [
{
"idModel": "69bdfbf01f58582530f4a8fc",
"modelType": "Member",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
A Trello access token by default never expires. You can check this here:
https://trello.com/{username}/account
Under the 'Applications' section, you will find details of the API tokens associated with your account.

Resources