Question / Issue
I would like to know the actual purpose of the "expires_at" property once I logged in successfully then the Identity Server returns the following Response JSON
{
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMwMCIsImF1ZCI6ImpzIiwiZXhwIjoxNTAyNDI4MjQyLCJuYmYiOjE1MDI0Mjc5NDIsIm5vbmNlIjoiYWU0MTZlZjQwNDc4NDkwNmI5NTg3MDkxY2I0ODhjZjUiLCJpYXQiOjE1MDI0Mjc5NDIsImF0X2hhc2giOiJIWEhKWl9LdkdfcnVwMXZQY1lKYWRnIiwic2lkIjoiNjY0M2Y0NjlkMGY3YzgxZWQ3MDFhZmQ5MmYzYzFiMDYiLCJzdWIiOiIxIiwiYXV0aF90aW1lIjoxNTAyNDI3NDYxLCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.ai98BnTEqWQDBT9BPMJmft-KVgC9nLR2fQCpWW95E-CqyW0vrVtgXTh-ExDAXcQGrl2CzEf0a-7B2SnfAJ9qwSFmn4T--bZMKnoN2YnsHdbad9rhCGOvKEDI0NCfTlDYFQ03ZUdZVW27hYJO6Bbt8FeJPBIv3Ko7MV40gqDGojZ74twO_YZOIzJNJGDmIysquD_hRGU75xTz41MBuMob3FMzmLegIOYqUDFz6A8VrFEL3j1Cgo67sp7IP4RQ9uJj56kU8DI4mZR6YCFp3QdLtYqQPVO6zkO1OhpeDVyZNffC1PbFDsJ5lhPRicZ5MZo-m8eMVSNis6X5fWhuuC9kAg",
"session_state": "0JCstb_hlFJAAw30DwbPoV6mDvg01QRbZ-H4N2TyFcY.03e0a811c45d02838f745a3b369ecabc",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDMwMCIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjQ0MzAwL3Jlc291cmNlcyIsImV4cCI6MTUwMjQyODAwMiwibmJmIjoxNTAyNDI3OTQyLCJjbGllbnRfaWQiOiJqcyIsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsImFwaSJdLCJzdWIiOiIxIiwiYXV0aF90aW1lIjoxNTAyNDI3NDYxLCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.A6Dj10rBKN2CIo1wLfj_stuNXq-QH66sfdhuQiqqMGXcTQ88VnWcgCo13_br8_-gBb0fTGkdHRHZAP5oHbYtiJA9AAMO7Z8R_JsrVdYSaK9SXpRMuKdEhYTK1BQjVPsU04hHJAIEPQZ0i8MKE3FOsyoDEMOfXdVR8oY9vqEpN5X1AYQ4ia_aB_cHPzOUYccr1B5nn4VWl47D-BW6bf4v60P0wHx1uSYeTN_N3J9nbgEXqvLY6ED978jFRvFz7zllHWkIZSxM91Mu-uyIKa6-MRNuYvbtejdNtDzPpUjWDnAsYhL-AyxKaqq1prACkCxESpPXUggl2jMH8hWbl8lX4w",
"token_type": "Bearer",
"scope": "openid profile email api",
"profile": {
"sid": "6643f469d0f7c81ed701afd92f3c1b06",
"sub": "1",
"auth_time": 1502427461,
"idp": "idsrv",
"amr": [
"password"
],
"given_name": "Bob",
"family_name": "Smith",
"email": "bob.smith#email.com"
},
"expires_at": 1502428003
}
I would like to know the purpose of "expires_at": 1502428003, and let me know the format of this property whether it's returning Ticks / Milliseconds / Seconds / ???
Is there any relationship between this property "expires_at": 1502428003 with Silent Renew new Oidc.UserManager().signinSilentCallback(); ???
I came across this question trying to find out what format is used for auth_time and expires_at.
Finally, I found the answer in the openid conect spec and thought I should add it here since this question has never been answered.
Both auth_time and expires_at are datetime values expressed as the number of seconds since 1970-01-01T00:00:00Z
What purpose they are for, I suppose, is to use it in the client app depending on your needs, but you might need to convert it to a more useful datetime format. Maybe you have rules about how old a token is allowed, maybe you want to check how soon the token expires.
In my project, I have a C# class that has been deserialized from a json token, and I capture the expires_at as an integer then add it to the date above as seconds to get the C# datetime for expiration of the token.
public int Expires_At { get; set; } = 0;
public DateTime GetExpirationTime()
{
var jan1970 = Convert.ToDateTime("1970-01-01T00:00:00Z");
return jan1970.AddSeconds(Expires_At);
}
For example, a value of 1537481262 for Expires_At results in 2018-09-20T22:07:42 when added as seconds to jan1970.
Related
I have a Rails API with minimal authentication - just a simple bearer token hooked up to Auth0.
I have one endpoint which looks like this:-
mysite.com/api/users/1/calendar.ics
The URL is unauthenticated, to allow people to subscribe to their calendars.
I'm basically trying to hide the id, and change it to a SecureRandom hex or something, so that other users can't just change the id and see other individuals' calendars.
How would I achieve this?
My front end would need some way of knowing what the encrypted string was - and since we only have bearer token auth, I'm not sure if it's secure enough to just pass the calendar URL into authenticated requests to users/1, for example:-
{
"id": 1,
"name": "John Smith",
"email": "email#email.com",
"intro": "string",
"calendar_url": "mysite.com/api/users/jUhGtDhajaluyt34/calendar.ics"
"created_at": "2021-05-13T16:15:09.748Z",
"updated_at": "2021-05-13T16:15:09.748Z"
}
Is delivery of the URL like this even a valid concern?
I am trying to create the schema for Message API
As per the documentation, the sample response properties for reaction provided are below
Documentation sample response
"reactions": [
{
"reactionType": "like",
"createdDateTime": "2019-01-21T19:55:51.893Z",
"user": {
"application": null,
"device": null,
"conversation": null,
"user": {
"id": "e1ecb745-c10f-40af-a9d4-cab946c80ac7",
"displayName": null,
"userIdentityType": "aadUser"
}
}
}
]
From the documentation user is Identity type identity set
Identity is of type:
{
"displayName": "string",
"id": "string",
"tenantId": "string",
"thumbnails": { "#odata.type": "microsoft.graph.thumbnailSet" }
}
From the sample response as well as the response from endpoint, tenantId is not present.
There is a difference in sample response/actual endpoint response and documented properties:
The one with tenantId or one without tenantId.
The user is 1 level as per property documentation but as per actual response and sample response user property has user with in.
What is the correct schema of reaction property that we should consider, because we see variation in documentation vs actual response ?
ok, I think I understand - you're just asking what you should be coding for / expecting, when you query the api. It looks to me like the first link you've posted is the more correct, but you can verify this by using the Graph Explorer. This response does NOT bring back "tenantId", but you haven't explained if you -need- tenantId. If so, there are other ways to get it.
#KritikaVohra, Consider the response that you receive from the https://graph.microsoft.com/beta/teams/{id}/channels/{id}/messages. You don't need tenant id here. in case in conversation if you need it, you can use it from turnContext.
So, i've got this response from google upon authentication:
{
"user": {
"id": "116807551237969746774",
"email": "123456#gmail.com",
"verified_email": true,
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"picture": "https:\/\/lh3.googleusercontent.com\/-XdUIqdMkCWA\/AAAAAAAAAAI\/AAAAAAAAAAA\/4252ldubv5M\/photo.jpg",
"locale": "en"
},
"credentials": {
"access_token": "ya29.GlsSBIA_hMKZIDE_wqJAJS0vrHD_Wd2HfwRTTvLISv0i1uFICCqz4JdEZcL09mFFlGdt71D9pW80SLShHgyeSOZgnWcL5piL5m0jYo1TMU6o0fDLnqGAWm6BY-Wl",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1\/az_TmhPRaYG5NDH6L9gBeNo6STOD9EbTt1VkkBmp3IQ",
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjBlNmExN2I2YjU4MGIzNTFmMGQ5YmEzMzY2YTU0Y2U1NmViOWIxN2UifQ.eyJhenAiOiIxMDAzMjk3NzQ4MDc1LWsxdml0OGMxMHJ1ZnM4cjZpYmZyYmxlZmJhamFoZmllLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXVkIjoiMTAwMzI5Nzc0ODA3NS1rMXZpdDhjMTBydWZzOHI2aWJmcmJsZWZiYWphaGZpZS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInN1YiI6IjExNjgwNzU1MTIzNzk2OTc0Njc3NCIsImVtYWlsIjoiNzA0MzA2N0BnbWFpbC5jb20iLCJlbWFpbF84PIXpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IkdrOHFjMTdCcEVGVGZmWkpKbkh6NGciLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE0ODk4MTIxMzksImV4cCI6MTQ4OTgxNTczOSwibmFtZSI6IkFudG9uIEFsZWtzYW5kcm92IiwicGljdHVyZSI6Imh0dHBzOi8vbGg0Lmdvb2dsZXVzZXJjb250ZW50LmNvbS8tTEJuMTlWX1NEN3cvQUFBQUFBQUFBQUkvQUFBQUFBQUFBQUEvQUFvbXZWMTRMVFIycUgtOXJ5S2dScjIxd3A1Z1FZRGNmUS9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiQW50b24iLCJmYW1pbHlfbmFtZSI6IkFsZWtzYW5kcm92IiwibG9jYWxlIjoiZW4ifQ.BHv5BP3ZsagvunfMzGLwmxkBdtoRocPa_PXdq2lrd4D9BoFGkK06eJVbNNbcPOFdAMba3V5lIIG_L499gIy3TTz_PIHBPi6DMSp6uyfkCwf2n-PspZtTbTRlUm5ZvRdAyPEEyLLkWllKkMsRk-Nwp3vhyOLnExzH7SXiEefU4kaXXCpjsHV3GvZ-yhrmNlicEY3TPLwI-tl_lydXTBXRRiPZBGWjHK75hqvQzUktC2Flimd7JnCLhF0FOS3yFKc5D11WPKMOO4YkIQDbBrKY64vyxQAd-Zb2KfvXZi6Dorq7IJF6sK2GAfI3edSaoMZBMa0-x2V7FuFIBLtTgGRnsw"
}
}
I haven't found documentation on what should i do with credentials part of this response? What should i use for user identification? What should be saved as token on client side (ios/android app) in order to revive the session? What does expires_in: 3600 means and what should i do about it? What does token_type: Bearer means and why do i need it? etc.
Thank you, #pinoyyid for clarifications!
The main thing i was looking for is this:
On server side get access_token property from credentials and verify it, using this url
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={your access_token}
Do whatever you want with the rest of the provided data.
Personally, i'll prefer to generate own token, save it on client side and use it to revive user's session (to verify his identity). Once token is lost for whatever reason, user just will go through the whole process again.
what should i do with credentials part of this response?
Rejoice, for you have done the hard part.
What should i use for user identification?
Anything you like, or nothing at all. It depends on your app's use case.
What should be saved as token on client side (ios/android app) in order to revive the session?
The Refresh Token. Note that "revive the session" is wrong terminology. In OAuth/REST, there are no sessions.
What does expires_in: 3600 means and what should i do about it?
It is saying that the Access Token will expire in 1 hour (3600 seconds). What you should do is use the Refresh Token to acquire a new Access Token by POSTing it as described https://developers.google.com/identity/protocols/OAuth2WebServer#offline
What does token_type: Bearer means?
It means the Access Token should be placed in an HTTP Authorization header whenever you try to access a Google API. Eg Authorization: "Bearer aaaaaaa" where aaaaaa is the Access Token.
and why do i need it?
To prove to Google that your app has been given permission to access a Google resource (eg. a file in Drive) by the owner of that resource.
I am trying to create a course in a semester through the api in valence d2l. I keep getting a 404 not found error, both in my program and in the "getting started" application. The call I am making is to /d2l/api/lp/1.0/courses/ using post. I pass the following JSON object along with it:
{
"Name": "COMM291 - Test A",
"Code": "C-COMM291",
"Path": "/enforced/C-COMM291/",
"CourseTemplateId": 20992,
"SemesterId": 20993,
"StartDate": "2013-08-22T19:41:14.0983532Z",
"EndDate": "2013-08-27T19:41:14.0993532Z",
"LocaleId": 4105,
"ForceLocale": false,
"ShowAddressBook": false
}
I have also tried passing null for the fields that say they accept null values, but no luck. The course template and the semester ID are correct - I have tripled checked that they exist, I am enrolled in them and I am using the correct ID numbers.
Try reducing the precision in your start and end dates to three decimals after the final point (e.g., "2013-08-22T19:41:14.0983532Z" becomes "2013-08-22T19:41:14.098Z").
If your org is configured to automatically enforce, and generate, paths for course offerings, then you should not provide one in your CreateCourseOffering block at all. The following structure works on our test instance: notice the empty string for path (shouldn't be null, but an empty string, I believe):
{ "Name": "Extensibility 104",
"Code": "EXT-104",
"Path": "",
"CourseTemplateId": 8082,
"SemesterId": 6984,
"StartDate": "2013-09-01T19:41:14.098Z",
"EndDate": "2013-12-27T19:41:14.098Z",
"LocaleId": 1,
"ForceLocale": false,
"ShowAddressBook": false }
The other thing to note is that if your CreateCourse form doesn't have a form element to provide a Semester ID, then your API call should pass null for that property.
I found that part of my problem was with the call if I change it to /d2l/api/lp/1.3/courses/ instead of 1.0 it works, (1.0 will work but it seems that you can only pass null for the semester).
The dates were also picky and did prefer milliseconds to only 3 decimal places.
Then passing null for LocaleId also helped.
Does any one know how to retrive D.O.B through Google OAuth api? I am able to get other information like name, email, gender by setting the scope as https://www.googleapis.com/auth/userinfo.profile. But I am not able to get D.O.B with this scope.
I definitely get it for my account:
{
"id": "108635752367054807758",
"name": "Nicolas Garnier",
"given_name": "Nicolas",
"family_name": "Garnier",
"link": "https://plus.google.com/108635752367054807758",
"picture": "https://lh4.googleusercontent.com/-K1xGP8W20xk/AAAAAAAAAAI/AAAAAAAABhY/Cs_4qr30MxI/photo.jpg",
"gender": "male",
"birthday": "0000-08-25",
"locale": "en"
}
all I did is authorize for the https://www.googleapis.com/auth/userinfo.profile scope and then sent a GET request to https://www.googleapis.com/oauth2/v2/userinfo
First make sure that the Google+ account that you are testing with has set a Birthday (of course), then try the request on the OAuth 2.0 Playground for instance: https://code.google.com/oauthplayground/#step1&apisSelect=https%3A//www.googleapis.com/auth/userinfo.profile&url=https%3A//www.googleapis.com/oauth2/v2/userinfo
It seems you have to send 2 requests:
https://www.googleapis.com/plus/v1/people/me (oauth v1)
https://www.googleapis.com/oauth2/v2/userinfo (oauth v2)
to get both google plus profile data and google account data (there are date of birthday and also locale if you need it)
I use scribes and it works ok. Set two scopes ("https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.me") and send two requests for both REST links