I am making an app which integrates with bitbucket using oauth.
My question is how do I get the token details such as the token expiry date or the token permissions.
Is there any endpoint on the bitbucket API which will give me these details
SOLVED: Bitbucket Tokens have an expiry time of 1 hour after which we need to use the provided refresh token to refresh our access token.
Bitbucket don't have a published method to query an access token.
You can see all the OAUTH methods here:
OAuth on Bitbucket Cloud
It probably doesn't matter, since they expire tokens every 60 minutes, so you would most likely need to request a refresh any way. And in the refresh it will give you a new access token, and tell you the expiry again (in 60 minutes) and also the permissions (scopes) you were asking about.
A refresh response doesn't need to occur within the 60 minute limit, so you just refresh when you are about to use it. It will respond with:
{"access_token": "", "scopes": "", "expires_in": 3600, "refresh_token": "", "token_type": "bearer"}
Where permissions would be like: "wiki pullrequest project team account" and they are also listed under the linked page above (in the Scopes section).
Related
The GitLab access_token has an expiry time of 2hours, similarly does the refresh_token also has some expiry time?
Because sometimes, when I use the refresh_token to get new access_token it throws invalid_grant error.
I am thinking refresh_token does not have any expiry_time.
I am thinking refresh_token does not have any expiry_time
Indeed but they are linked to access_token.
In "Supporting Expiring OAuth Access Tokens for GitLab", GitLab explains:
How do you handle expiring tokens?
Once a token has expired, your API requests will fail and you will be
prompted by GitLab to generate a new token.
To do this, you must make another request to GitLab’s OAuth endpoint.
Much like the initial link, you must provide your application’s Client
ID and Client Secret, but instead of passing the linking code, you
will pass in the user’s refresh token.
This will invalidate both the existing access token (if it is still valid) and the refresh token you just used, and return a new
access token and refresh token.
The access token will be valid for another two hours. You will need
to store the new refresh token, as this token will be used the next
time you request a new token.
When authorising via OAUTH2 and Azure Ad the expiry of the access_token I'm receiving is set to 3599 seconds, just shy of 1h. Is there any way in to specify in the /POST request to the token endpoint, that the expiry should be less than this?
Cheers
Yes, the default life time of an access token is 1 hour. If you want to customize the expiration time (increase or decrease) of the access token, you need to use powershell to create a token life time policy, and then assign the policy to service principal to set up a custom token life time.
Since the access token is short lived, I used the refresh token to get a new access token. A successful token response will include the following (example from microsoft api doc):
`{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "user.read%20mail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
}`
I have read the life time of refresh_token is valid until revoked or 90 days of inactivity. Since I'm getting a new refresh token, do I need to replace the old refresh token with this new one? if I do, how to delete the old refresh token?
Thanks!
Like access token Refresh tokens will also expire but are rather long-lived i.e., 90 days maximum time. Once Refresh token expires you need to authenticate to the application again to get a new access token and refresh token.
Also please refer MS Documents.
I would like to request Uber cabs on behalf of an Uber user, but first the user needs to permit the app to have access to his profile and permit the app to send requests on his behalf. However, the returned authorization code that I can use to get the access token in order to send user requests on their behalf is only valid for 10 minutes and my requirement needs me to send requests even 24 hours later.
Is there a way to get a permanent authorization code or access token that never expires or at least one that lasts for a long period, e.g. a month?
RFC 6749 says as follows in 4.1.2. Authorization Response:
code
REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code
Therefore, it is hopeless to expect an authorization code with longer lifetime than 10 minutes. So, you should exchange an authorization code for an access token at the token endpoint immediately using the way described in 4.1.3. Access Token Request.
If Uber's authorization server issues a refresh token when it issues an access token, you can expect it has longer lifetime than an access token. You can use a refresh token at the token endpoint in order to get a new access token. See 6. Refreshing an Access Token for details.
If lifetime of access tokens and refresh tokens issued by Uber is less than 24 hours, you have to change the flow of your application.
I am following Oauth 2.0 authentication protocol.
There, it's said in the Authorization code flow after getting the Oauth Access token we need to refresh it using the refresh token if Access_toke is expired.
My question is how do we know whether the access_token is expired or not?. so that we can claim a new access token with the help of refresh_token.
your token array should look like this one.
tokens[token] = { "userID": userID, "clientID": clientID , "expires_in": expires, "refreshToken": refreshToken };
expires = current time + 30mins(assume your token will expire after 30 mins)
In your protected route you should compare current time with that expiration. If token expire, you will issue a new token using refresh token.
Just remember the time when access token will expire when you get it. When you obtain access token you can check expires_in parameter. See OAuth 2.0 specification: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.4
You should also handle Invalid Token Error and get new token when old is expired. See description: https://www.rfc-editor.org/rfc/rfc6749#section-1.5