We are working on a project that uses Asana's API for integration. When a user authorizes the app to use Asana, we get the access token which is valid for an hour. In addition to that we also get a refresh token that can be used to renew the access token in future.
Could you please let us know how long will that refresh token stay valid for?
Refresh tokens are valid for 10 years, or until the user explicitly revokes the authorization.
Related
I am using Google APIs in my application and the oauth2 refresh token expires after 1 hour. I am using this refresh token to execute a task which runs daily. I create the refresh token using the OAuth2 playground. Is there a way to extend the expiration time of a refresh token? (1 month)
I think that you have your terms confused here.
As per Oauth2 access tokens expire after one hour. Access tokens are used to request access of an api and return the data that you need. There is no way to extend the lifetime of an access token beyond one hour. You need to use a refresh token to request a new access token.
Refresh tokens are extremely long lived and do not normally expire. Refresh tokens are used to request a new access token. Refresh tokens for the most part do not expire if one is not used in six months though google will automatically expire it. Also if the user removes your access then the refresh token will also automatically expire.
If you are creating your refresh token using the Outh2 playground which is intended only for testing purposes it will also expire.
If you are using the oauth2 playground to create your refresh token then you should not be doing this you should be creating your own application to request the tokens.
As already explained the refresh tokens created using the OAuth 2.0 Playground are automatically revoked after a few hours because the playground is mainly for testing purposes. However you can configure the OAuth playground to use your own app credentials (use the 'wheely' icon top right). If you use your own app credentials the refresh token will not be revoked.
That said it looks like you want to run a background service that accesses Google APIs. For this you may want to use a Service Account if you are not accessing a specific user's data.
Once I've completed the OAuth flow by obtaining authorization from the user and then creating an access token, how do I obtain another token without asking the user for authorization again? I thought the user's account on Smartsheet would remember that they trusted the application, but that doesn't seem to be the case. I'm new to OAuth so I'm sorry if I'm missing something obvious.
Thanks!
Access tokens retrieved via the OAuth flow are valid only for a certain period of time -- you (i.e., your application) can refresh a token before it expires in order to prevent the end-user from having to provide authorization again.
When you issue a GET Token request to obtain an access token, the response contains not only the token itself, but also information to indicate how long the token is valid (the expires_in property indicates the number of seconds until the token expires) and a refresh_token property value that you'll need in order to refresh the token.
To prevent the user from having to provide authorization again, simply refresh the token before it expires, and then use the new (refreshed) token value in subsequent API requests. Note that each token you obtain (whether it's the original token or a refresh token) will always expire in a finite amount of time, thereby requiring that you refresh the token in order for your application to maintain user authorization.
I have implemented openid connect authentication using azure active directory in my website. The session expires every 1 hour. So the user is logged out, and redirected back to the login page. While analyzing based on it, i have found a solution in the below link, to use UseTokenLifetime = false
https://github.com/aspnet/Security/issues/147
Will this fix my issue? or is there any chance of increasing the session time?
Thanks in advance
Dinesh
Read here to learn more about Configurable Token Lifetime
In general, access tokens have a very short lifetime. This is intentional. Your web application should be using the refresh token which comes with your access token to acquire new access tokens once the original one expires.
When you get an access token and refresh token (assuming all default settings), the access token will last up to one hour. The refresh token will allow you to get a new access token + refresh token pair for up to 14 days. The new refresh token you get will last another 14 days, allowing you to chain new access tokens up to a total of 90 days, where you will need to eventually ask the user to sign in again.
You have the ability to configure token lifetimes such that your "refresh token chain" will never expire, however any individual access token or refresh token will eventually expire.
I'm developing an Android app that uses Outlook Calendar REST API. I'm trying to keep in synch and updated the calendars of multiple users (meeting rooms).
My questions are:
1) After how long does the initial authorization code expires?
2) And for the refresh token instead?
The access token expires after 60 mins. I can't get if for the refresh token expires after 6 hours, 14 days or 90 days.
3) Is the latter configurable? Can I make it not expire?
`
UPDATE: (from https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx)
"The lifetime of the refresh token is not provided and varies based on policy settings and the time when the authorization code grant is revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token."
And also: (from http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx)
"Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code."
So how can I guarantee that my App will always have all the users logged in?
It will be in airplane mode during the night and it should automatically recover from crashes as well.
Can I solve without authenticating the users programmatically storing the credentials?
Thanks
Answers:
few minutes. The exact value is an implementation detail and can change at any moment. You should do whatever you can to redeem the code as soon as you get it.
see http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
as of today the lifetime limits cannot be changed. We are working on features that will grant you more control, but we have no ETA to share at the moment
The only way of guaranteeing that a user is signed in is to successfully redeem a refresh token, or to go through an authentication flow. Use of cached credentials is restricted to very few cases, and will likely be disallowed in upcoming versions of the service.
If a refresh token expires, you should plan to perform an interactive authentication. Note that the refresh token might also be invalidated by a consent revocation, which will mandate interactivity in all cases.
What you can do is to obtain the refresh_token and the access_token. Access what you need via the access_token, if that fails then assume it has expired and use the refresh_token to update the access_token. If a user changes their password (or maybe there are other cases) then you start the user over from square one.
To get the refresh_token I think you need to add offline_access to your scope. Something like this:
USER_OAUTH2_AUTHORIZE_URL
+ "?client_id=" + config.getClientId()
+ "&redirect_uri=" + getOutlookLoginRedirect(request)
+ "&response_type=code"
+ "&scope=https%3A%2F%2Foutlook.office.com%2Fmail.send%20" +
"https%3A%2F%2Foutlook.office.com%2Fmail.readwrite%20" +
"offline_access%20openid%20email%20profile"
Box api refresh token would expire if the token is not used for 14 days.
So how would I know the refresh token has been expired? Any exception would be thrown in android box api? Or what I need to do is to show the login view again?
UPDATE:
i know that android sdk would auto refresh access token using refresh token. But how about the refresh token, how to handle its expiration?
Thanks
The next API call with return an error, and the details will tell you that the authorization token has expired.
When that happens, you should call the /tokens endpoint to do a refresh grant. See more details in OAuth2 tutorials in the section on "Using the Access and Refresh Tokens"
Also, note that we've extended the refresh token to be valid for 60 days. It is still a 1-time use token, but even if your users don't use your application for 59 days, it will still work to get them a new Access Token.