I am working with Identity Server 3 on the service and oidc-client.js in my front end. The client setup in Identity Server does not set the token lifetime options, so should have the default values of 300s (5min) for the identity token lifetime and 3600s (60min or 1hr) for the access token lifetime. My client app requests and receives both an identity token and an access token. The oidc-client user object exposes expiration information about the access token. But how can I tell when the identity token has expired? Or maybe more to the point, which token should represent a still valid login/authentication? My code is currently using the user object expiration data to determine if a user is authenticated, but now that I realize that's the access token expiration, I'm not sure that's the right thing to do.
Same question asked another way: If a user logs in and gets an identity token that's valid for 5 minutes and an access token that's valid for 60 minutes, when does that user's authentication expire and how does the client app know it has expired?
Related
My skill requires Account Linking which will authenticate customers with an AWS cognito user pool through OAuth 2.0 Protocol.
I can specify in the user pool the TTL of the refresh token, which I decided to have it valid for 60 days.
From what I understand, alexa sends you the access token along with each request that your skill receives so you can identify customers using the skill. If their access token expires alexa would handle this by refreshing their token before forwarding the request with the access token to you. So you can have a valid access token.
Now, what happens when the refresh token expires? and does it expire after 60 days even if the customer is using the skill on daily basis? I guess what I'm asking is:
When the access token expires and alexa refreshes it. Does the refresh token also get refreshed?
If yes, how do we keep the customer signed in and their account linked when the refresh token expires after 60 days?
I think you can find the answers in the documentation.
Verify that the token is valid
If the accessToken exists, verify that it identifies a user in your resource server. The token could become invalid for multiple reasons, for example:
The user deleted or canceled their account with your service. For example, an Alexa user might have set up account linking with Ride Hailer, then later canceled their Ride Hailer account. At this point, the token stored by the Alexa service would identify a non-existent user.
The token has expired, and the Alexa service was unable to obtain a new token. This can occur with an authorization code grant if your authorization server does not provide refresh tokens. This can also occur if you use an implicit grant, which does not support refresh tokens.
If the token is valid, handle the request normally. You can use the token to access data from your resource server as needed. In the Ride Hailer example, the skill would retrieve profile and payment information for the user from the Ride Hailer service, order a car, and return a confirmation to the user. See Return a Response for details.
Once I've completed the OAuth flow by obtaining authorization from the user and then creating an access token, how do I obtain another token without asking the user for authorization again? I thought the user's account on Smartsheet would remember that they trusted the application, but that doesn't seem to be the case. I'm new to OAuth so I'm sorry if I'm missing something obvious.
Thanks!
Access tokens retrieved via the OAuth flow are valid only for a certain period of time -- you (i.e., your application) can refresh a token before it expires in order to prevent the end-user from having to provide authorization again.
When you issue a GET Token request to obtain an access token, the response contains not only the token itself, but also information to indicate how long the token is valid (the expires_in property indicates the number of seconds until the token expires) and a refresh_token property value that you'll need in order to refresh the token.
To prevent the user from having to provide authorization again, simply refresh the token before it expires, and then use the new (refreshed) token value in subsequent API requests. Note that each token you obtain (whether it's the original token or a refresh token) will always expire in a finite amount of time, thereby requiring that you refresh the token in order for your application to maintain user authorization.
In my application I am using OAuth 2 authorization and get access token from access code which expires after 8 hours. Is there any way I can increase this expiry time. Default expiry time I get is 28800(8 hours), I want it to be like for 30 days or 60 days. Is it possible. I know this is possible with Implicit grant flow but if I want to continue with Authorization code grant flow then, Is it possible?
Thanks.
You cannot increase the life of Access token beyond certain limit due to security reasons. These tokens are supposed to be short lived. One thing you can do is allowing issuance of refresh tokens for offline access. So, if access token is expired/about to expire, client (Secure) can talk to Authorization Server and get fresh access token issued.
You won't be able to modify the token itself as it's signed by the STS before being issued to you. If you were to modify the field itself, signature validation would fail when you bear the token. As dvsakgec said, this token is meant to be short lived and the correct pattern is to use the refresh token to obtain fresh access tokens when it has expired. For most identity providers, the refresh token never expires so you can always get a new access token.
Now, some identity providers will allow you to configure the token through their developer tools. It depends on the provider. There is no hard line guide for token expiration, it's whatever the identity provider decides.
I just have a question re client_credentials grant type in OAuth 2.0. When a client requests for an access token 2 times, will the access token requested on the first time be invalid?
Thanks!
The first obtained access token will be valid until it expires.
A token contains an authentication ticket including the indentity and an expiration time. When the token is decrypted, the server obtains the ticket and checks that the ticket is not expired. It uses the claims included in the ticket for authorization tasks.
I'm working with an API that uses OAuth2, provides an access token that expires in 3600 seconds, and provides a refresh token with it. Originally, I'd waited for an API call to fail in a way that indicated the access token was expired and then tried to refresh the access token using the refresh token. This has become problematic when the access token is expired and several API calls are made concurrently (each call separately triggers a refresh and most of the calls fail).
Would it be better to automatically refresh the access token using the refresh token after 3600 seconds? (Or 3599 seconds or 3601 seconds?) Is there a different paradigm I should be using for refreshing the access token?
Ideally, the client should have sufficient smarts to not use an expired access token. Fortunately the response from your OAuth AS's token endpoint should include the expires_in attribute to confirm that the expiry will be in 3600 seconds. E.g.:
{"token_type":"Bearer","expires_in":3600,"refresh_token":"p8BPdo01kkjh6fhatclD3wwBEQblm4kL4ctYRVlrHo","access_token":"9XebAAXeu6hQOAiwmOk8vdhRyUFV"}
Since this JSON response is generated by the server, there's a chance that the transmission back to the client has taken time, and thus the "expires_in" value may be smaller than it appears.
Given that, I'd recommend that you have some sort of buffer (say 5-10 seconds) before expiry to automatically use your refresh token to request a new access token.
I may have used the following scenario. There will be access failures due to access token validation error but those errors will be minimal.
App1 invokes the token api with password grant type and get the access token and refresh token pair (accto1/refto1)
App2 also do the same at the starting up of the execution (accto1/refto1)
When the access token is expired for App1, he may do the refresh token by invoking the token api with refresh token grant type and with his existing refresh token (refto1) and he will retrieve a new pair of access token and refresh token. (accto2/refto2)
When App2 also reaches the instance when his access token is expired, he will also try the refresh token grant with the refresh token he already has (refto1) but he will get an authorization error since that refresh token is now expired.
When either of the apps get this error then app needs to realize that someone else has refreshed the token so at this moment the app needs to make a call with the password grant to retrieve the new access token / refresh token pair in action. This time as in the example the App2 will also retrieve the same access token and refresh token pair that the App1 has previously received for his refresh token grant. (accto2/refto2)