I have the setup where clients are accessing APIs defined through WSO2 API Manager secured by OAuth2 refresh and access tokens. The client gets the tokens using authorization code flow and authentication and authorization is done by 3rd party software.
Access tokens has default expiration time of 3600 seconds (60 minutes) and refresh tokens are without expiration (lasts forever).
Now I have to manage the refresh token revocation by user or admin from 3rd party application. The use case is that user or application admin will remove the authorized access for client which should revoke refresh token in WSO2 API Manager. (not the client logout function only, as the client application can be lost or compromised)
Like if you have a Google account you can remove access to applications using management of your account. (Apps with access to your account)
WSO2 API Manager has revoke API in order to do so where you should send refresh token to revoke. (Token API)
This means that the 3rd party application should also have refresh token in order to revoke it through that API but I understand this as a security flow because only client show have received the refresh token and be able to use it on order to renew access token.
How should be such use case implemented in WSO2 API Manager? How can 3rd party application call API for token revocation without knowing it? What is the correct implementation?
Related
Case Scenario :
Suppose a user logs into a third party website using google Oauth. By default the google access token has the expiry time of about 3600 seconds.
If , after logging into the third party website
User deletes/inactivates the gmail account.
User removes the consent given to the third party app in gmail.
In the above cases does the access token get expired ?
In the above cases does the refresh token get expired?
Does the below link give the actual information about the access token in any one the above scenario.
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
Suppose a user logs into a third party website using google Oauth.
Oauth2 is not for sign in (authencation) it is for authorization. So a user would not login to a third party website using oauth2 they would login to a third party website using their google account and open id connect.
By default the google access token has the expiry time of about 3600 seconds.
Industry standard for Oauth2 stats that an access token would expire after an hour or 3600 seconds.
In the above cases does the access token get expired ?
No access tokens are self contained bearer tokens. They will work until they expire in this case an hour. There is no additional validation on them it is assumed that the bearer of said token has access to the data for an hour. Yes even if they delete the access.
In the above cases does the refresh token get expired?
if the user revokes your access via their google account. All outstanding refresh tokens are removed immediately they will no longer work.
Does the below link give the actual information about the access token in any one the above scenario.
The UserInfo endpoint (is a standard endpoint) which can be used to retrieve identity information about a user who has authorized the application.
information returned can vary by server but it is most often. Username, profile name, can contain email address and birthdate.
The end point will return the info as long as the access token has not expired.
We have implemented the below process for revoking OAuth access tokens / refresh tokens to de-link an external app from our application.
On logout / user initiated de-linking action, we delete the access token and refresh token that was obtained from the initial authorization flow
User has to go through the authorization flow again once again to obtain the access token and refresh token
We are not calling any token revoke function / API call to the authorization server
My question is:
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
Are there any potential pitfalls to avoid in this approach?
The reason we took this approach is because most 3rd party apps do not offer revoke access related APIs and require the user to go to the 3rd party app to remove access / de-link the authorized apps.
Does the authorization server automatically revoke the first set of access token + refresh token if a new authorization flow has been initiated by our app?
No, most won't. Consider a scenario where a user is logged into your application from multiple devices. Each would get a valid access/refresh token.
So, you can't rely on this.
We have just started out with ASP.NET Web API 2 and implemented OAuth2 client credential token grant, resource owner token grant (for internal apps) as well as code flow token Grant for third party Vendors.
For code flow, when the refresh token is exchanged for a new access token and refresh token the original token is removed from the token store and as such invalidated. The resource owner can also at any time revoke an access token and its associated refresh token.
One of our vendors will follow the code flow grant as there is a requirement that the resource owner or representative authorizes the access to the resource server.
The vendor subsequently requested that instead of the normal flow to redeem the refresh token for a new access token and refresh token, that the host server automatically provide a new access token and refresh token for each request.
The idea that over and above servicing the request, the host API calls back to a pre-determined endpoint on the client domain that will provide a new access token and refresh token.
It goes without saying that such an arrangement introduces complexity within the host API and it would defeat the whole point of short lived tokens and longer lived refresh tokens and we would probably implement other measures to prevent token hi-jacking and other types of attacks.
Currently our authorization server and resource server is one and the same. We would however want to keep the option open to separate the authorization server from the resource in future.
The questions from this then:
Should we consider this arrangement at all?
Would it make sense to adjust to a never expiring access token and not issue a refresh token with the token request?
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.
I am trying to implement Oauth 2.0 provider. I am confused on access token grants. I am using oauth2orize module in node.js.
I am confused on Should I remove all access token related to specific user when user logouts from auth server? I am building mobile and single page app for browser and I am using Resource owner password credential flow. How long should access token be valid for and should it expire on logout?
Generally, an app will revoke an access token just prior to performing logout. Typically, the app will revoke a refresh token if it got one, as that will also invalidate any and all access tokens.
From the perspective of the authorization server, I would keep these things separate and implement both:
Revoke (RFC 7009)
Logout (OpenID Connect)
Then, the clients can use either / both of these as they need. If you have some constraints in your environment, you may be able to automatically revoke tokens during logout in your authorization server. Generally though, an it should allow for both to be used independently and put the client in control.