I have integrated tokbox in my app for live call, signaling.
My problem is session & token expire at every 1 hour. So is this valid?
What is the validity(time limit) of any session & token?
How to solve this problem
please guide us.
thank you.
OpenTok sessions do not expire. However, authentication tokens do expire. Also, note that sessions cannot explicitly be destroyed.
OpenTok tokens expire after a set period of time (max up to 30 days). You can specify the expiration period when you generate the token. Read this https://tokbox.com/developer/guides/create-token/
While working on a test version of your app, you can obtain a test session ID and token using the Dashboard page. But every production OpenTok application should be generating these values dynamically on a server, using one of their many Server SDKs (PHP, node, Ruby, Python, .NET, Java)
Related
I have developed an express app that's purpose is to send emails. I authorized an email sender using googles oauth2 playground, and their google api. I wanted to use this strategy rather than working with a third party email sender to not be subject to vendor lock-in. I had the system working successfully, but after a day it stopped working with "invalid-grant". In production, I'd like to have a permanent email address (under their google workspace) that is solely dedicated to these bot emails. The oauthplayground says you can avoid the 24 hour expiration, but I recall doing that before and it eventually came up with invalid grant. Is there a better way to set up a bot like this? Or should I just try the oauth playground and using the config panel to avoid the refresh token expiration again?
To start with let me say that invalid-grant means that your refresh token is no longer valid. It is no longer valid because googles oauth2 playground is intended for use for testing purposes only.
Access tokens will expire in less than an hour and refresh tokens created using it will expire in 24 hours.
While it is possible to configure it to uses your personal client id and client secret it is still not the optimal way to go
Even using this method for production is not going to work well for you. If your app is still in testing phase then your refresh token is goin to expire in seven days. You will need to set your app to production in order to have a refresh token that does not expire.
The issue then becomes that in order to use the gmail api your going to need to have your application verified. You can not verify your application using the googles oauth2 playground as a redirect uri as you can not verify that you own this domain.
The solution to your problem is to create an application of your own hosted on your domain. This will allow you to create the credentials you need and have your app verified by google.
under their google workspace
You made one comment that is not clear. If you are using google workspace then why not just set up a service account with domain wide delegation to the user on the domain. You will avoid all the issues you are having above.
Application is intended to be used by the company for managment of intercompany documentation. These documents can contain valuable information, so it must be secure application. I am using Oauth2 with access and refresh tokens. Access token is valid for 15 minutes and refresh token is valid for 1 day.
I have not found any recommended lifetime for tokens.
Is 15mins for AT and 1 day for RT good? If yes, why these values are good enough OR are not good enough?
What is optimal lifetime for AT and RT for application which must be really secure.
Thanks a lot!
Gmail vs. bank accounts.
I can't tell where your business falls under. You should sit in in a meeting with your product team and explain what happens and let them decide. It's ok if it takes some try and error to get the right number.
But for Gmail the refresh token almost never expires. I can't think when was the last time I had to enter my credentials again.
For banks, the refresh token seems to be valid for only 10 minutes and if you background the bank app then you won’t be able to get a new refresh token and so you get signed out. Like my bank of America app. If I keep the app open then the app will continue to refresh the token.
And obviously refresh token expiry time should be more than your average user's session time.
I'm working today on a partner environment related to Google Home.
Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).
My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.
My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.
Keycloak 3.2, Google homegraph action-on-google
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
I am implementing an App Store for my application where third-party developers can build there own apps based on my API. I have everything working and understand the concepts of OAuth 2.0, but I don't see how an external app can have timeless access with an access code that expires after one hour. Now you can use a refresh token to request a new one, but that one expires after some time too.
So how can an external app continuously connect to my API when the user of that app allows it only once?
My authorization codes expire after 10 minutes, the access tokens after 1 hour and the refresh tokens after 2 weeks.
I don't see how the app can retrieve data after those periods of time without the user re-allowing/re-installing the application through oauth.
How are bigger companies like Facebook etc. approaching this? Do they have an access token that never expires?
Expanding on my comment, the general recommendation when using bearer tokens is that their lifetime should be reduced in order to mitigate the impact of an access token being compromised.
On the other hand, asking the user credentials every hour or so would be an UX nightmare so OAuth 2.0 has the notion of refresh tokens which will normally have a longer lifetime allowing the application to request a new access token without requiring user intervention.
I'm unfamiliar with the implementation details around Facebook persistent tokens so I won't comment on that, but they are most likely safe. However, you're not Facebook, so my recommendation would be for you to follow public standards like OAuth 2.0/OpenID Connect instead of trying to provide a customized approach.
Regarding your comment about refresh tokens that never expire, it's an acceptable solution, but their lifetime is just one part of the equation. You should consider if they are multi-use or single-use, they can only be used by the client application that they were issued to, they should not be used by browser-based applications due to the difficulties of ensuring secure storage, etc.
I need to understand if a refresh token from OAuth 2.0 for Google data expires or not if unused for more than 6 months?
At many places it is called out that it doesn't expire and at some places it is said that it will expire if unused for 6 months.
For example, in this question, the accepted answer says that it never expires but one of the comments suggest that it can expire if unused for 6 months.
This Google doc calls out that refresh token will never expire while this doc says it can expire if not used for 6 months.
Although I am using a safety check for the cases where refresh token is expired due to any reason, but still want to make sure I understand the behavior correctly.
You are correct the two pages Using OAuth 2.0 for Web Server Applications and Using OAuth 2.0 to Access Google APIs don't have the same information.
Using OAuth 2.0 to Access Google APIs is correct.
You should write your code to anticipate the possibility that a
granted token might no longer work. A token might stop working for one
of these reasons:
The user has revoked access.
The token has not
been used for six months.
The user account has exceeded a certain
number of token requests.
There is currently a 25-token limit per Google user account. If a user
account has 25 valid tokens, the next authentication request succeeds,
but quietly invalidates the oldest outstanding token without any
user-visible warning.
If you need to authorize multiple programs, machines, or devices, one
workaround is to limit the number of clients that you authorize per
user account to 15 or 20. If you are a Google Apps admin, you can
create additional admin users and use them to authorize some of the
clients.
A refresh token that hasn't been used for 6 months will expire.
I have sent in a bug report on the first URL. Google should clear up the discrepancy the next time they go though the documents.