I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.
Related
I'm making a function to post to google my business automatically by using Google my business API by javascript and firebase. The access token is obtained by authentication using Google Sign In.
However, the access token has an expiration date, so I have to renew it using a refresh token.
Can I use the "user.refreshToken" shown in the image below as the refresh token to be used in this case?
Thanks in advance.Data retrieved upon sign-in
Yes, you are right. In general, the refresh token in an OAuth2.0 flow can be used to retrieve a new access token, which can then be used again to access resources. The refresh token normally has a much longer expiration date than the access token hence you can implement functionality like "remember me" using the refresh token.
I have enabled OAuth 2.0 and used the access token to call Jira Service Desk Rest endpoints.
Problem: access token expires every 1 hour.
According to the documentation OAuth 2.0 there are 2 ways to get new access token when it expires
Initiate the entire authorization flow from the beginning again.
Use a refresh token to get another access token.
Step 1 does not make any sense as it redirects to webpage and manual intervention is required to authorise the app.
To use Step 2 I dont get refresh token at all https://auth.atlassian.com/oauth/token
In general a short term access token is given. In order to get a long term refresh token offline_access scope should be specified in the the authorization URL to get an authorization code.
https://auth.atlassian.com/authorize?
audience=api.atlassian.com&
client_id=YOUR_CLIENT_ID&
scope=REQUESTED_SCOPE_ONE%20REQUESTED_SCOPE_TWO&
redirect_uri=https://YOUR_APP_CALLBACK_URL&
state=YOUR_USER_BOUND_VALUE&
response_type=code&
prompt=consent
Here in scope it should be scope=REQUESTED_SCOPE_ONE%20REQUESTED_SCOPE_TWO%20offline_access&
We are using OAuth to get Access Token and Refresh Token. But Access Token is getting expired fast.We need token with long validity.
How can we achieve this?
In Dynamics CRM, Access tokens are expired in 3600sec. But refresh token will not expire. So you need to generate the new
accesstoken using the refresh token.
If you want refer below page, It will useful for you.
https://learn.microsoft.com/en-us/previous-versions/azure/dn645542(v=azure.100)
I'm looking into Oauth2 to allow developers to authorize users of their app to use my service. I've found a few sources that say that my Authorization Server should return an access token when a user sends an assertion (JWT in my case) but that it should not return a refresh token. I'm wondering what the harm is in returning a refresh token. Developers could invalidate refresh/access tokens by calling an Api that invalidates any access granted from a particular JWT's id.
That recommendation is not correct. Refresh tokens are optional and can be issued at the discretion of the Authorization Server after client presents the authorization grant. See Oauth2 specification
1.5 Refresh tokens
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).
After reading the Google OAuth2 documents, I have downloaded the application_default_credentials.json and used this to get access token(bearer token).
I'm not sure if this's the standard of OAuth2. Some documents show that we need refresh token and client credential to get access token, but why not just refresh token? If I have client credential, does that mean I can get access token directly?
Yes, it is part of the OAuth2 specification that you must send the client credentials along with the refresh token. From RFC 6749, section 6:
Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server.