Situation description:
I need to dynamically download reviews from an Facebook page to display them on my site. For testing purposes I'm using a page access token generated from the user (page admin) access token (using Graph API Explorer). Unfortunately this token is short lived.
As stated in the Graph API documentation (https://developers.facebook.com/docs/facebook-login/access-tokens) to obtain long lived page access token I need to use long lived user access token. To obtain long lived user access token I need to post a request using short lived user access token and my FB app credentials.
To automate the whole process for the admin of my site I want to obtain his user access token and then process it in the way to obtain a long lived page access token (I created an app specifically for this use).
My question is: how can I make a call that asks a user for permission to 'manage_pages' and returns short lived user access token? I don't want it to have anything to do with my site registration and login process, I'm not using Oauth, I'm not logging users via Facebook. I want user to type his FB credentials, grant my app his 'manage_pages' permission and that's it. I'd like it to be as similar to 'Get Access Token' feature in Graph API Explorer (https://developers.facebook.com/tools/explorer).
Related
For refresh token rotation and update both refresh token and access token way, I am wondering, for the same user, if he or she opens different browser and logs in. This means, for the same user, tokens rotation would think it is stolen. Am I right?
If I don't want this to happen, can I use IP combined with user ID to identity the user? Is it secure? I know if it is shared IP, then no.
Is there anything that hacker cannot fake which can distinguish hacker and the user? I think Phone has its device ID of some sort. How about browser?
I think you are confusing completely different concepts
Oauth - authorization.
Open id connect - sign-in - authentication.
Access tokens and refresh tokens are used for authorization. A user grants your application access to their data. The user does not have to be present for this to happen. There for using an access token to prove a users identity is not the correct course of action.
You should use open id connect, to authencation a user - sign them in. Then you should get an id token back which contains claims, one of these claims is the subject claim which should be the users id on the system you are connecting to. You should use that to identify the user.
As for hacking oauth. (Authorization)
Access tokens are short lived they will give your application access to a system for a limited amount of time usually an hour. If a hacker got the access token they would also have access to the system for this hour. access tokens are self contained. no further verification is preformed.
Refresh tokens require the client id and client secrete in order to request a new access token. So the hacker would need to have your client id, client secret, be on one of the valid redirect uris. in order to request a new access token. This is why you should not set a redirect uri to localhost.
Hacking and open id connect.(authencation)
Well as far as signin goes the hacker would need to have the users login and password in order to signin in and get an id token back. You should be good to assume that this is not a hacker and is the user behind the machine.
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
I need to get an access token for my server to user without a user having to authenticate.
I do this for DropBox and want to do it for OneDrive.
I have a service that needs to save files in its own OneDrive acct and then also copy some files to users' accts.
For the user we will authenticate with either the Token or Code flow. However, for the server I just want to have access token. In DropBox you get the access token on the App Settings page, but I can't figure out how to do it for Graph
Assuming you're talking about OneDrive Business, it sounds like you want to get an app-only token. Such a token will require a tenant administrator to consent, but after that it can access the service without any user.
If you're talking about OneDrive Personal the scenario isn't possible - all tokens are required to have app and user claims, and therefore require to sign in.
I'm writing an app that needs to periodically get reports and update campaigns for a few users. The app can access their accounts now when they login and authorize, but what I want/need is for oauth to give access to the app to access their accounts whenever the script has to run. Is this possible?
Yes, it's possible. The relevant documentation is here.
You need to add access_type=offline to your request for an authorization code. The user will then be prompted to grant offline access to your script in the consent screen, and once he accepts, the response to your app will include a refresh token. Refresh tokens don't expire and can be used to generate new access tokens.
Note that if you lose a refresh token, you'll need to request authorization from your use again, this can be done by including prompt=consent in the request.
What exactly does the word "offline" mean with regard to the offline access granted by an OAuth server?
Does it mean that the resource server will return data about the user even when the user is logged out of the third-party application or when the user is logged out of the OAuth resource server such as Facebook or Google or Twitter?
Offline access is IMO a really bad name for it, and I think its a term only
Google uses its not in the RFC for OAuth as far as I remember.
What is Google offline access?
When you request offline access the Google Authentication server returns a
refresh token. Refresh tokens give your application the ability to
request data on behalf of the user when the user is not present and in front of
your application.
Example of an app needing offline access
Let's say I have a Super Awesome app that downloads your Google Analytics Data,
makes it into a nice PDF file and emails it to you every morning with your
stats. For this to work my application needs to have the ability to access
your Google Analytics data when you are not around, to give me permission to do
that. So Super Awesome app would request offline access and the
authentication server would return a refresh token. With that refresh token
Super awesome app can request a new access token whenever it wants and get your
Google Analytics data.
Example of an app not needing offline access
Let's try Less Awesome app that lets you upload files to Google Drive. Less
Awesome app doesn't need to access your Google drive account when you're not
around. It only needs to access it when you are online. So in theory it
wouldn't need offline access. But in practice it does, it still gets a refresh
token so that it won't have to ask you for permission again (this is where I
think the naming is incorrect).
Helpful quote from the OpenStack documentation:
If a refresh token is present in the authorization code exchange, then it
can be used to obtain new access tokens at any time. This is called
offline access, because the user does not have to be present at the browser
when the application obtains a new access token.
The truth about offline access
The thing is that in a lot of cases the authentication server will return the
refresh token to you no matter what: You don't have to actually ask for anything –
it gives it to you. Giving you the ability to access the users data when they
aren't around. Users don't know that you could access their data without them
being there. It's only the JavaScript library and I think the PHP library
that hide the refresh token from you, but it's there.
Example
By just posting (i.e. HTTP POST request):
https://accounts.google.com/o/oauth2/token?code={AuthCode}&
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
Here is the response:
{
"access_token": "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
I now have offline access to this users data, and I never told them that I
would have it. More details be found in this short article: Google 3 legged
OAuth2 flow.
Useful reading
Using OAuth 2.0 for Web Server Applications
Understanding Refresh Tokens
By design the access tokens returned by the OAuth flow expire after a period of time (1 hour for Google access tokens), as a safety mechanism. This means that any application that wants to work with a user's data needs the user to have recently gone through the OAuth flow, aka be online. Requesting offline access provides the application a refresh token it can use to generate new access tokens, allowing it to access user data long after the data has gone through the OAuth flow, aka when they are offline.
Getting offline access is needed when your application continues to run when the user isn't present. For instance, if there is some nightly batch process, or if your application responds to external events like push notifications. However if you only access user data while the user is actively using your application then there is no need for offline access. Just send the user through the OAuth flow every time you need n access token, and if they've previously granted access to your application the authorization page will instantly close, making the process nearly invisible to the user.
For Google APIs, you can request offline access by including the parameter access_type=offline in the authorization URL you present to your users. Offline access, and hence refresh tokens, is requested automatically when using the Installed Application flow.