How to preserve & re-submit request while doing an OAuth2 token refresh? - ruby-on-rails

I'm writing a Google calendar app in rails. The OAuth2 access token expires after 1 hr. My problem is, if someone fills out a form that I want to push to Google calendar, and while they are filling out the form the access token expires and they have to go thru the whole re-authentication process, I don't know how to preserve the entire request (form submission) and resubmit it, once my token is refreshed.
I know it's possible using a DB, saving the params, the path, the request method, and all that... but what I want to do is save everything in a session variable of some sort, and have it automatically re-submit the whole request to my app again, once the Google OAuth access token is valid.
Any ideas?

This is solvable by getting a refresh_token with which you can get a new access_token. You can do that by asking for offline access when the user first authorizes your app.
You can also use the Ruby client library that Google provides to manage the OAuth2 process easier for you.

You can also save the form state in the current session, assuming you have one, then do an immediate flow just to grab a new access token. See the prompt=none parameter:
https://developers.google.com/accounts/docs/OAuth2Login#authenticationuriparameters
The immediate flow will succeed only if the user has a valid session with Google. If that's not the case then you do have to send the user to re-authenticate in the normal flow.
Or, as Arun suggested, use a refresh token. But with a refresh token you definitely have to run you own session and keep a user database (you have to store the refresh token). Your own session may also expire before the form is submitted.

Related

JWT(lcobucci/jwt) - refresh token

I am able to generate the token and validate it.
Now, I come across a scenario: How can I keep the active user's token refresh everytime it send request to server? Rather than suddenly logout them out after the default token's expiration time.
As per lcobucci suggestion, regenerate the token in every request make by the user. Meaning the Web/MobileApp have to update the new token in local which return from API in each request?
Any other suggestion/approach I should look into?
I am using it for Mobile and Web apps.
Thanks

How come instagram iOS app never ask me login again, even token is expired?

I have been searching this for days..... I know usually when we design token for client and server, user can login with username and password, server use them to create a token and send back. If token is expired, we let user login again.
How come when I use instagram and never see it needs me login again? How do they handle this on their mobile app?
Your help will be highly appreciated.
Instagram says:
Note that we do not include an expiry time. Our access_tokens have no explicit expiry, though your app should handle the case that either the user revokes access or we expire the token after some period of time. In this case, your response’s meta will contain an “error_type=OAuthAccessTokenError”. In other words: do do not assume your access_token is valid forever.
If the token is somehow expired then they request for a new one, but that should be a rare case as instagram says they do no include an expiry time.
For more info read this. Hope this helps.. :)
First you have to get the access token and save that access token in your app, access token is not valid forever, so you should implement and handle this on your application follow this tutorial for login with instagram using oauth and its implementation on app side
http://codegerms.com/login-with-instagram-ios-application-objective-c/

Oauth flow for google

I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
Getting request token from Google.
Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
get Access Toekn from google by providing request token and verification code given by google.
Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
Redirecting user to google
Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user.
The request token contains 2 things
Toekn -->which is based on the registered application so not an issue
Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to
login using google
This is not of any problem because for every single user on your site, you are given a different request token.

Yahoo OAuth implementation has no way to work offline

I need to download my Delicious bookmarks to a non-web application without constant user interaction. I'm using Delicious's V2 API (using oAuth) but the problem is it seems their access tokens expire after one hour.
I don't have any issues with redirecting the user to Yahoo for a one time authorization, but what is described here (http://developer.yahoo.com/oauth/guide/oauth-refreshaccesstoken.html) means I would have to refresh my access tokens all the time before they expire when the user is away.
Is this really the way they've done their oAuth implementation?
You only need to refresh the access token when they come to use the application again, not while they're away. You can pass the previously expired token and get a new one in return.
Is that a problem? You should only need to make an additional server-side call to refresh the access token if it expires (as long as the authorization itself has not expired, which should last longer, and would need user interaction when it expired).

Persist Twitter OAuth session

I have a Twitter web app that allows users to submit tweets from my site. However they have to re-login every time they submit a new tweet. Is there a way to save the OAuth session and don't prompt the login screen until users clear their browser cache?
When you get the callback from Twitter after the user has validated you, you'll receive an auth_token in the headers of the request; you're meant to cache that token, and supply it every time the user makes a request.
It sounds like you're not caching that token and supplying it when the user makes a request.
You need to store the oauth_token, you can use the same for all requests.
On the FAQ of Twitter API
How long does an access token last?
We do not currently expire access
tokens. Your access token will be
invalid if a user explicitly rejects
your application from their settings
or if a Twitter admin suspends your
application. If your application is
suspended there will be a note on your
application page saying that it has
been suspended.
you need a db tables called user and user_tokens. Inside the user you have: id, user_oauth_secret, user_oauth_token. Inside the the user_token you need this columns: id, user_id, token, created, expires. make sure this token is unique (and long) with some random hash. now you can save this token to the user's cookie and find the right oauth data later.
You need to store two tokens.
When you make the OAuth request the first time, it will show the Twitter auth screen. After auth, your OAuth callback page will get two query string parameters, "oauth_token" and "oauth_token_secret" for the user. You need to store these (probably in a database) somewhere.
Then, when you request OAuth permission again from Twitter, send the two tokens, and the user will automatically be authorized.
You shouldn't have to code this yourself. There are plenty of OAuth libraries out there.
You have to maintain a long session with the user and save the access tokens. Cookies are commonly used to recognize users.

Resources