I have a React Native app that is using Expo.Google.logInAsync to login via Google. This returns an accessToken (expires after 1 hour) and a refreshToken.
Im passing this accessToken to the Firebase Web SDK:
const cred = firebase.auth.GoogleAuthProvider.credential(null, accessToken);
await firebase.auth().signInWithCredential(cred).catch(console.error);
const idToken = await firebase.auth().currentUser.getIdToken(true).catch(console.error);
How should I be using this Google refreshToken to keep the Firebase idToken valid and logged in after one hour?
Should I make the request below and re-reun the Firebase signInWithCredential?
https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=<your_client_id>&
client_secret=<your_client_secret>&
refresh_token=<refresh_token>&
grant_type=refresh_token
I can get my client_secret from the Google API Credential page. Most people say to keep it on the server if possible, but some say you can also embed it into your client code if needed.
Is the client_secret designed to be used from client side code in a phone app?
Firebase sessions are indefinite. Firebase Auth returns an ID token and refresh token after sign in and every time an ID token expires, the refresh token is used to get a new ID token. The client SDK will take care of the refresh on its own. You just call getIdToken() and it will either returned the cached ID token if not expired or retrieve a new one using the underlying refresh token. The Google OAuth refresh token you are referring to is not needed here.
Just to be clarified the Google OAuth Token is not be able to refreshed via Firebase Auth flow nowadays ?
Related
I am using jwt token with spring security.
After successfully generating the token on login and passing it to my Reactjs application in localStorage object. I have one problem that on logout I delete the token but still using the same token I can hit secured api through Postman.
Since I know that token is not expired but is there any way that I can re-issue new token if the user keeps on interacting and I keep the expiry very small like 5 minutes.
There are two solutions:
1: Re-issue new token after every api response and update the token in the localstorage object of react app using a filter
2: Save all issued token in a repository/cache or in memory then delete token from this repository on logout. While validating the JWT token add one more check to see if the token exists in the repository.
We're using Aws Cognito with Oauth 2.0 and we're wondering, if cognito supports Refresh Token Rotation according to the Oauth 2.0 specification (https://www.rfc-editor.org/rfc/rfc6819):
The basic idea is to change the refresh token value with every refresh request in order to detect attempts to obtain access tokens using old refresh tokens
When we're using the Aws .net sdk to refresh our tokens:
await user.StartWithRefreshTokenAuthAsync(authRequestRefresh).ConfigureAwait(false);
...we're not getting a new refresh token back. The only way to get a new refresh token, is by doing a new login:
await user.StartWithSrpAuthAsync(authRequest).ConfigureAwait(false);
Thanks for your help!
Kind regards,
Peter
Cognito doesn't support refresh token rotation. You can however change the number of days a refresh token stays valid for an app client.
Code snippets for Building OAuth 2.0 credentials :
Credential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setClientSecrets(myAppClientID, myAppSecret)
.build();
credential.setRefreshToken(userRefreshToken);
I am using Java Library in order to get the Google Analytics Data.
I do have Client ID, Secret and Refresh Token. I am accessing Google Analytics API though this credentials information,
My question is, Will Google OAuth 2.0 take care of Access Token Automatically? Or Do i need to handle it manually with some mechanism? If i am not passing access token to this code.
From the Credential API doc:
Thread-safe OAuth 2.0 helper for accessing protected resources using
an access token, as well as optionally refreshing the access token
when it expires using a refresh token.
So if you don't specify an access token, it will be automatically fetched using the refresh token. But since you already have an access token, I would say it's good to set it - it will save the first network call to the /token endpoint.
Quick question, couldn't find the answer here. When using the refresh token to create a new access token, will this use up the refresh token?
I had an instance where I used up the refresh token to get a new Access Token however the new access token didn't come with a new refresh token.
Does this mean that I can keep using the initial refresh token every time the access token runs out?
The Google documentation says,
refresh_token: A token that may be used to obtain a new access token. Refresh tokens are valid until the user revokes access.
Refresh tokens are valid until they are revoked, so you can use it as many times as you want if it is valid.
The following is an example of refreshing an access_token with Google OAuth.
Request
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
Response
{
"access_token":"1/fFBGRNJru1FQd44AzqT3Zg",
"expires_in":3920,
"token_type":"Bearer",
}
to conclude, refresh tokens are not expired with an access token refresh. they can be used as long as they are valid.
The behavior depends on OAuth 2.0 implementations. Google's implementation is just one example. As a matter of fact, there exists an implementation that allows an administrator to select either (1) to keep a refresh token valid after use or (2) to invalidate a refresh token after use and issue a new one.
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.