I'm using Implicit Grant Flow to authenticate over oauth2 and obtaining token from fitbit platform.
Here is the url I'm requesting:
https://www.fitbit.com/oauth2/authorize?response_type=token&client_id=CLIENT_ID&expires_in=31536000&prompt=none&redirect_uri=REDIRECT_URL&scope=activity%20heartrate%20sleep;
Since I'm specifying expires_in=31536000 I'm looking for a 1 year validity token, but I'm receiving a response like this:
fitbit://mypersonalcallback#access_token=ey...VE&user_id=blablabla&scope=sleep+activity+heartrate&token_type=Bearer&expires_in=2567006
So my token lasts 30 days.
How can I obtain a 1 year token?
Thanks!
Related
I have an API set with OAuth2 authentication. A client has subscribe to my API using WSO2.
We don't use refresh tokens. All access tokens expire in 1 hour.
What happens if my client requests 2 access tokens with the same client credentials?
Will the first token be revoked or will both tokens live 1 hour?
When you request a token with client credentials, it will give an access token which is valid for 1 hour. If you again request a token from the token API within that 1 hour period, then it will give the same token. Basically, if there is a valid token, then it will return that. This is the default behavior.
But if you are using the API Store and click on token re-generation, then it will first revoke the token and get you a new access token.
If you want to get two different access tokens for the same client credentials at the same time, then you can use a scope. When there are different scopes in the token request, it will return two different access tokens.
According to WSO2 docs, you can't have more than one access token. What you can do instead is changing the token expiration time to longer than one hour.
In WSO2 API-M the access token must be unique for the following combinations - CONSUMER_KEY, AUTHZ_USER, USER_TYPE, TOKEN_STATE, TOKEN_STATE_ID and TOKEN_SCOPE. The latter mentioned constraint is defined in the IDN_OAUTH2_ACCESS_TOKEN table. Therefore, it is not possible to have more than one Access Token for any of the above combinations.
I am integrating fitbit in my application and I don't want the user to redirect every time to SafariViewController to get the access token, for that i am storing the Access Token, but after 24 hours the Access Token is expiring.
In the API of fitbit Fitbit OAuth 2.0 there is a parameter expires_in which is used to define the expiration time of Access Token, In that parameter i am passing 31536000 for 1 year, but after that also the Access Token is expiring in 24 hours, and after that i have to redirect the user to SafariViewController.
So, is there any workaround so that i don't have to redirect user to SafariViewController, any methods through which i will refresh the token in background, something like that.
Any help would be appreciated.
Cheers !!!!!
You dont need to set any expires_in value to your access_token. The expire of access_token is checked in the fitbit server not in your server. So by setting the expires_in will not work. Instead you will get are refresh_token along with your acess_token after Fitbit authorization.By calling the
$result=$fitbit_object->getRefreshtoken(YOUR_REFRSH_TOKEN);
The result will contains new access_token and refresh_token.Store/update them in you db. So when you want to use the aceess_token , you can use the new refresh_token to refresh your access_token . Its simply works for me.
I would like to request Uber cabs on behalf of an Uber user, but first the user needs to permit the app to have access to his profile and permit the app to send requests on his behalf. However, the returned authorization code that I can use to get the access token in order to send user requests on their behalf is only valid for 10 minutes and my requirement needs me to send requests even 24 hours later.
Is there a way to get a permanent authorization code or access token that never expires or at least one that lasts for a long period, e.g. a month?
RFC 6749 says as follows in 4.1.2. Authorization Response:
code
REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code
Therefore, it is hopeless to expect an authorization code with longer lifetime than 10 minutes. So, you should exchange an authorization code for an access token at the token endpoint immediately using the way described in 4.1.3. Access Token Request.
If Uber's authorization server issues a refresh token when it issues an access token, you can expect it has longer lifetime than an access token. You can use a refresh token at the token endpoint in order to get a new access token. See 6. Refreshing an Access Token for details.
If lifetime of access tokens and refresh tokens issued by Uber is less than 24 hours, you have to change the flow of your application.
I am following Oauth 2.0 authentication protocol.
There, it's said in the Authorization code flow after getting the Oauth Access token we need to refresh it using the refresh token if Access_toke is expired.
My question is how do we know whether the access_token is expired or not?. so that we can claim a new access token with the help of refresh_token.
your token array should look like this one.
tokens[token] = { "userID": userID, "clientID": clientID , "expires_in": expires, "refreshToken": refreshToken };
expires = current time + 30mins(assume your token will expire after 30 mins)
In your protected route you should compare current time with that expiration. If token expire, you will issue a new token using refresh token.
Just remember the time when access token will expire when you get it. When you obtain access token you can check expires_in parameter. See OAuth 2.0 specification: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.4
You should also handle Invalid Token Error and get new token when old is expired. See description: https://www.rfc-editor.org/rfc/rfc6749#section-1.5
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.