The OAuth User Token and OAuth User Secret actually expires in 60 days.
I looked at this link, but in my case this is not helpful.
What actually I do in my app:
I use oauth gem for authorization as below.
#linkedin_consumer = OAuth::Consumer.new(
API_KEY,
SECRET_KEY,
{ :site => "https://api.linkedin.com" }
)
linkedin_access_token = OAuth::AccessToken.new(#linkedin_consumer,OAUTH_USER_TOKEN, OAUTH_USER_SECRET)
Now by using linkedin_access_token I make api calls to get profile data. I get only linkedin id from the users, I never ask user to login in linkedin.com. So, how can I refresh it. please reply ASAP. Thanks.
No endpoints for refreshing linkedin OAuth2.0 Tokens have been mentioned anywhere in their documentation yet. All they say is:
Provided that the user is already logged into LinkedIn, this flow
provides you with a simple way of obtaining a valid OAuth 2.0 access
token without forcing your user to authorize your application again
But having user logged into LinkedIn wont really solve the purpose of refreshing tokens in backend. OAuth1.0 does have a mechanism mentioned.
One useful discussion on this topic I found : here
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I'm currently unfamiliar with the OAuth2.0 Authorization Code Flow and I've read many articles about it and currently I still don't know how to properly implement it. So far, what I know about the flow:
User Logs in using OAuth
User is redirected to the authorization server for authorization code
Callback for permission/scope
Redirected to authorization server for access token in exchange for authorization code
Redirect back to the client with the access token
Client uses access token to access resource server.
Right now, what I'm still confused is that where should the login validation come (Login of username - password)? Is it a separate validation before going to OAuth flow and once the user is valid, it should go back to the flow?
I have some resources that explain OAuth 2.0 using Google Sign in as an example. Let me try to rephrase it according to your question.
Let's use the example of a user logging-in to Intercom using "Sign in with Google".
The user presses the button "Sign in with Google". This will redirect to the identity providers /authorize endpoint (could be different for each provider) which go to their login page.
The user is redirected to Google's accounts page. If not already logged-in, the user can enter their Google email/password here.
Google redirects back to Intercom with an authorization_code (for example, it redirects to https://intercom.com/authcallback?code=XYZ...)
Intercom's backend server sends this authorization_code with the client_id and client_secret (from their project in google), and receive an access_token (usually to the /token endpoint)
Intercom can then use the access_token to access the user's profile from Google.
So to answer your question, the user can enter their email/password inside the OAuth provider's page. Keep in mind that OAuth 2.0 doesn't specify how the provider is authenticating the user. This means, that the OAuth provider can authenticate their users in different ways, like email/password, email magic-link, SMS OTP, etc. Your website is just supposed to trust the OAuth provider that they are authenticating the user for you correctly.
Some extra resources that would help you understand OAuth 2.0 more:
How to store the OAuth 2.0 access and refresh token in your front end
Picking the right OAuth 2.0 flow
login validation come (Login of username - password)?
OAuth 2.0 NOT an Authentication protocol
The OAuth 2.0 specification defines a delegation protocol
Any use of username - password is outside of OAuth 2.0 and you should be looking at Open ID Connect which is an authentication protocol built on top of OAuth 2.0.
Best current Practice for Authorization Code flow is to use PKCE on OAuth or OpenID Connect.
The usual solution is to externalise both OAuth 2.0 and Open Id Connect from your code by using a mature security library. When you're new to this type of security there is a learning curve. My resources will give you an idea of how it all fits together:
Code Sample
Tutorial Blog Post
The libraries you integrate depend on the technology stack you are using. The resources above are for a Single Page App and NodeJS API.
I am implementing openid connect for google and microsoft. Openid provides the id_token which also content the user info. I am still confused. How to use id_token. In oauth2 we are storing the access_token in our db. so we use access_token to get user profile. If I am getting the profile mean user is authenticate and user will login into app. So in id_token case, should I validate the token. If token is validate then user will login. I am really confused. Please help me out. Please provide the flow of authentication.
Read this: http://www.thread-safe.com/2012/02/why-we-need-idtoken-in-openid-connect.html
TL;DR id_token removes the need for that extra round trip you need to make to get userinfo. Instead OIDC presents you with both an id_token which contains all the info you need about your current user and an access_token.
If token is not required for authentication. It is only useful in public clients to get some user attributes aka claims.
I am trying to practice the examples in the book "mining the social web". Unlike the applications I had created in twitter and facebook, the Oauth token and secret in the linkedin never show up. I only see my client ID and client secret.
by the way, since I do not have any personal url, can someone explain to me what is the appropriate URL I should enter? In the twitter and facebook applications, I just randomly entered some URL, like www.twitter.com, and it worked. In this application for linkedin, I entered www.linkedin.com, but no Oauth token comes out.
I know this question is too basic for you guys, sorry for posting this. I did google the solution for a while, but it seems like no one has ever posted this question.
You can't directly get an OAuth Token. You have to follow the authentication procedure to receive an OAuth Token.
Steps involved:
Configure your LinkedIn application with a valid callback url which your server is listening to.
Request an Authorization Code
Exchange Authorization Code for a Request Token
This LinkedIn link will help you on what parameters to send in each request and the URL for the same.
https://developer.linkedin.com/docs/oauth2
I have a website where people can post blogs. I want the blogs to be automaticly posted to a Linkedin account connected to the website. So the person posting the blog is not the owner of the linkedin account.
I use the Sharing API from LinkedIN to do this, but this requires the administrator of the linkedin account to refresh the Oauth token every 60 days. I know this is a security thing to prevent illegal use of accounts. But in this case its always my own linkedIN account. Is there a way around this? mabe by using the app key and secret instead of the acces token?
The LinkedIn API docs (https://developer.linkedin.com/documents/handling-errors-invalid-tokens) say:
In the case the access token is already expired, your application will
go through the same authorization flow as previously described.
However, the login dialog will be shown to the user as they will need
to grant access to your application again.
so there's no way around that. But what you could do is go through this flow before the access token has expired. The docs say:
Simply have your application go through the authorization flow in
order to fetch a new access token with an additional 60 day life span.
When the following conditions exist:
User is still logged into Linkedin.com The current access token isn't
expired (within the 60 life span) We will automatically redirect the
user back to your redirect_uri without requiring them to reauthorize
your application. If they don't exist, we'll prompt them to login and
then redirect them.