I am integrating fitbit in my application and I don't want the user to redirect every time to SafariViewController to get the access token, for that i am storing the Access Token, but after 24 hours the Access Token is expiring.
In the API of fitbit Fitbit OAuth 2.0 there is a parameter expires_in which is used to define the expiration time of Access Token, In that parameter i am passing 31536000 for 1 year, but after that also the Access Token is expiring in 24 hours, and after that i have to redirect the user to SafariViewController.
So, is there any workaround so that i don't have to redirect user to SafariViewController, any methods through which i will refresh the token in background, something like that.
Any help would be appreciated.
Cheers !!!!!
You dont need to set any expires_in value to your access_token. The expire of access_token is checked in the fitbit server not in your server. So by setting the expires_in will not work. Instead you will get are refresh_token along with your acess_token after Fitbit authorization.By calling the
$result=$fitbit_object->getRefreshtoken(YOUR_REFRSH_TOKEN);
The result will contains new access_token and refresh_token.Store/update them in you db. So when you want to use the aceess_token , you can use the new refresh_token to refresh your access_token . Its simply works for me.
Related
The GitLab access_token has an expiry time of 2hours, similarly does the refresh_token also has some expiry time?
Because sometimes, when I use the refresh_token to get new access_token it throws invalid_grant error.
I am thinking refresh_token does not have any expiry_time.
I am thinking refresh_token does not have any expiry_time
Indeed but they are linked to access_token.
In "Supporting Expiring OAuth Access Tokens for GitLab", GitLab explains:
How do you handle expiring tokens?
Once a token has expired, your API requests will fail and you will be
prompted by GitLab to generate a new token.
To do this, you must make another request to GitLab’s OAuth endpoint.
Much like the initial link, you must provide your application’s Client
ID and Client Secret, but instead of passing the linking code, you
will pass in the user’s refresh token.
This will invalidate both the existing access token (if it is still valid) and the refresh token you just used, and return a new
access token and refresh token.
The access token will be valid for another two hours. You will need
to store the new refresh token, as this token will be used the next
time you request a new token.
Just implemented an OAuth2 authentication with AWS Cognito and came across this issue:
I am re-generating an id_token with my refresh_token using this endpoint:
/oauth2/token
grant-type: refresh_token
but when my refresh_token is expired, I don't want the user to go through the login process again.
Is there any way of "refresh the refresh_token"?
Also, I don't want my refresh_token to have infinite (or 9999 years) of validity time.
What should I do?
Thank you.
No you cannot get a fresh refresh token without having the user sign in again. That's the whole point of a refresh token. You can have a refresh token for a reasonable time like a month and then forcefully invalidate it if user signs out though.
Box api refresh token would expire if the token is not used for 14 days.
So how would I know the refresh token has been expired? Any exception would be thrown in android box api? Or what I need to do is to show the login view again?
UPDATE:
i know that android sdk would auto refresh access token using refresh token. But how about the refresh token, how to handle its expiration?
Thanks
The next API call with return an error, and the details will tell you that the authorization token has expired.
When that happens, you should call the /tokens endpoint to do a refresh grant. See more details in OAuth2 tutorials in the section on "Using the Access and Refresh Tokens"
Also, note that we've extended the refresh token to be valid for 60 days. It is still a 1-time use token, but even if your users don't use your application for 59 days, it will still work to get them a new Access Token.
We are working on a project that uses Asana's API for integration. When a user authorizes the app to use Asana, we get the access token which is valid for an hour. In addition to that we also get a refresh token that can be used to renew the access token in future.
Could you please let us know how long will that refresh token stay valid for?
Refresh tokens are valid for 10 years, or until the user explicitly revokes the authorization.
I'm using oauth2 on a web server and the flow works flawlessly (https://developers.google.com/accounts/docs/OAuth2WebServer).
However, I have some situations in which I need to re-acquire a refresh_token (let's say for example that the refresh_token has been "lost").
In this case when I go through stages 1&2 again I only get an access_token and not a refresh_token.
If the user revokes permission through his google account console and goes through stages 1&2 again I will get a new refresh_token.
Is this known oauth2 behavior? is there a way to force a new refresh_token or getting the same one again?
From https://developers.google.com/accounts/docs/OAuth2WebServer:
Important: When your application receives a refresh token, it is important to store that refresh token for future use. If your application loses the refresh token, it will have to re-prompt the user for consent before obtaining another refresh token. If you need to re-prompt the user for consent, include the approval_prompt parameter in the authorization code request, and set the value to force.
Butter Answer is here. You have to add parameter approval_prompt=force in your post request for token.