As a user, how do I revoke authorization given to an app?
Or as an app, how do force a new authorization?
I did not see anything in the user page or in the API documentation regarding revoking:
https://accounts.autodesk.com/users/{{user}}/view
https://developer.autodesk.com/en/docs/oauth/v2/reference/http
No way to revoke from the admin console at the moment unfortunately. As an App you may request different set of scopes which should trigger the user to authorise it again
Related
I am about to embark on adding a 'post to Twitter' feature on a web application.
It appears 3-legged OAuth is the only option for this. The developer documentation states however that "The user will always be prompted to authorize access to your application, even if access was previously granted."
https://dev.twitter.com/oauth/3-legged
This doesn't seem like a very good experience for the user and confusingly this is not what happens on services like Hootsuite. Have they organised an agreement with Twitter so users don't have to keep authorising the app?
Use the Sign-in With Twitter flow, and store the access token that the user receives when they grant access to your app. Then there's no need to go down the oauth/authorize route every time.
I'm developing an integration with LinkedIn for my company, and I'm noticing this behavior when switching between different development environments:
I have an active LinkedIn account on EnvA
I authorize the same LinkedIn account on EnvB
The account on EnvA is immediately denied on all API requests with an error of "Unable to verify access token"
So it seems like there can only be one active access token per LinkedIn user at one time? Is it correct behavior for an existing access token to become invalid upon generation of a new one, even if the other access token is on a different domain?
Thanks,
Matt
Requesting a new access token for a user invalidates any existing tokens. You can only have one functional token per app per user at a time.
I'm writing an app that needs to periodically get reports and update campaigns for a few users. The app can access their accounts now when they login and authorize, but what I want/need is for oauth to give access to the app to access their accounts whenever the script has to run. Is this possible?
Yes, it's possible. The relevant documentation is here.
You need to add access_type=offline to your request for an authorization code. The user will then be prompted to grant offline access to your script in the consent screen, and once he accepts, the response to your app will include a refresh token. Refresh tokens don't expire and can be used to generate new access tokens.
Note that if you lose a refresh token, you'll need to request authorization from your use again, this can be done by including prompt=consent in the request.
I have a website where people can post blogs. I want the blogs to be automaticly posted to a Linkedin account connected to the website. So the person posting the blog is not the owner of the linkedin account.
I use the Sharing API from LinkedIN to do this, but this requires the administrator of the linkedin account to refresh the Oauth token every 60 days. I know this is a security thing to prevent illegal use of accounts. But in this case its always my own linkedIN account. Is there a way around this? mabe by using the app key and secret instead of the acces token?
The LinkedIn API docs (https://developer.linkedin.com/documents/handling-errors-invalid-tokens) say:
In the case the access token is already expired, your application will
go through the same authorization flow as previously described.
However, the login dialog will be shown to the user as they will need
to grant access to your application again.
so there's no way around that. But what you could do is go through this flow before the access token has expired. The docs say:
Simply have your application go through the authorization flow in
order to fetch a new access token with an additional 60 day life span.
When the following conditions exist:
User is still logged into Linkedin.com The current access token isn't
expired (within the 60 life span) We will automatically redirect the
user back to your redirect_uri without requiring them to reauthorize
your application. If they don't exist, we'll prompt them to login and
then redirect them.
I've read through documentation where possible but unable to figure out this basic question. When using Oauth with Twitter in my web application, does it require the user to be logged into Twitter everytime?
For example, if a user authorises their account with my website, in future sessions, if they complete an action that posts to their twitter stream, will this occur without any problems, or would they need to re-sign in via Twitter?
Thanks guys!
The OAuth authorization actually allows your application to access their account whenever it wants. So the users do not even need to be there doing something with your web application to allow it to tweet something or such.
Your application is then able to use the key and token which it received in the authorization process to tell Twitter any time "hey, I am authorized to use this account" and basically works as the application's personal login credentials for that account.
No, they only need to be logged into Twitter when they go through the initial OAuth authorization. After that, your site talks directly to the Twitter API using tokens that it saved from earlier.
Ok I've setup a test-case and it looks like I was a bit wrong:
oauth_token, oauth_token_secret are unique for each user and they never change, so if you store them in your database you can reuse them. No matter if the user is logged in to twitter or not.
No, they will normally not need to re-authorize. If the token is revoked, however, they will, and your application needs to be able to handle this (by allowing them to do so). In general, this is true for any SSO system.
A twitter user can explicitly revoke an application's token at the provided page.