I'm using the Doorkeeper gem to provide OAuth in a Rails app. The client is a Chrome extension.
I have 'use_refresh_token' commented out in doorkeeper.rb, and 'access_token_expires_in' set to 1 minute. I thought that would force the client to re-auth after a minute. But re-auth is happening automatically, regardless of whether use_refresh_token is present or not.
With use_refresh_token present, a new row is added to 'oauth_access_tokens' every time the access token expires. No new row is added to 'oauth_access_grants.'
With use_refresh_token commented out new rows are added to both tables. Which I would expect if the client was manually re-authing. But it appears to be happening automatically--the user is granted access without having to re-auth the app through the OAuth login screen, as I'd like.
Apologies for my ignorance, I'm new to both Doorkeeper and OAuth and haven't found any clues on Google et al.
The OAuth 2.0 is working as it is sending authorization URI to authorize url to get the access token and while the user is not authorized to get token the server redirect him to login page, I think the point in your case that the expire in time is too short so the session opened when user entered username and password for first time still valid so when your client asking for new token it is getting it as the user is still loged in on the authorization server, you can change the time of session to be less than the token validity time and test it.
Related
I'm following this article to understand refesh tokens.
In my case I have to connect to REST api using grant_type=password, and I receive a token with a 5 minute lifespan. So every 5 minutes I have to issue a POST request passing client-id, username & password to get a new acces token.
The other option would be to issue a POST with a grant_type=refresh_token, without having to send the username & password. In my case I'm consuming an api, so passing the credentials doesn't involve any action from the final user. For me it's just to params more to send on the POST request.
In both cases, I have to issue a new post every 5 minutes.
Is that the only advantage (not needing to pass credentials again) of using the reresh token or is there any other thing I'm missing?
Background info
OAuth 2.0 Password Grant
The Password grant type is a way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
OAuth 2.0 Refresh Token
The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired.
This allows clients to continue to have a valid access token without further interaction with the user.
Consider this.
Lets say that i add my login and password for my twitter account to your application and you then use that to request access from twitter to may account to post. Three months later i have forgotten i have set your awesome app up to do something on my twitter account and i change my password. Your system will break.
Now lets say i used Oauth2 to grant you access to my Google drive account, your awesome app can now do what ever it needs to do on my drive account. Now three months latter i have again forgotten i gave your awesome app access, I have the memory of a gold fish you see. I change my password. Nothing happens your awesome app still has access.
Now consider this, With oauth2 i can grant you access to only read from my google drive account not update it (scope). That and the system knows its not actually me preforming the actions.
With client login (login and password) most of the time it appears to the system that it is the actually owner of the account making the requests. You can also not limit access with client login for the most part you have full access.
note
yes i am ignoring the part about both tokens returned being the expiration time time. Thats because for all intensive purposes they are the same but that depends greatly on how the auth server you are using is set up. They could be set up to only be valid for an hour or a day. They may give you different access scopes, again this differs greatly from auth server to auth server.
I have a webapp which lets the user OAuth 2.0 to youtube & after exchanging the authorization code I can capture the access_token & refresh_token into my database .
Can these tokens be maliciously used later by me , say after 2 weeks , to delete the poor user's video using /yoube/v3/delete or some other operation like insert badly formed captions ..
& if this could be done isn't this a security breach cause the poor used who has accidentally consent ouath into my application & got his access_token & refresh_token & other info captureded by my back-end
So basically when someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything
If yes? what can the poor user do to unlink & how would the user even know that video's are getting deleted by someone else ?
Access tokens are short lived tokens which will work for one hour after that time you will need to use the refresh token to request a new access token.
Your refresh token should not expire except.
if it has not been used for six months.
If a user authenticates your application they get a new refresh token, If they authenticate your application again then will get another refresh token. You can have up to 50 outstanding refresh tokens all will continue to work until you go over that number then the first one will expire.
The user can also revoke your access though their account at any time.
Don't bother storing the access token just store the refresh token, and make sure that if your user authenticates your application again that you replace the refresh token in your database with the new one.
If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever.
Note: it can take a while to go through the verification process with the YouTube API start early.
I am developing a Google action and added account linking
In the linked image you can see the settings I did in Action console->Account linking.
Action console Account linking
In AuthO Applications added all fields necessary, JWT Expiration set to 604800 also in APIs setting I have updated Token Expiration (Seconds) to Token Expiration (Seconds)
Auth0 application setting
Auth0 api settings
Account linking works perfectly but after 24 hours, my Google action prompts the user to ‘link the account again’, Even though I changed the JWT expiration to 7 days(604800 seconds) and Token Expiration to 7 days, I don’t know why action asks the user to link there account again after 24 hours. Is there anything I left out.
Kindly help me in this regard as it is very important me to publish action and running over my deadline
While the Assistant not accepting the long Access Token, the stranger thing is that it should be using a Refresh Token to get a new Access Token instead of requiring the user to re-link the accounts.
Assuming you're using the auth token flow (and it looks like you are), Auth0 will send a Refresh Token if you request the offline_access scope.
It looks like you're requesting _offlineaccess, which isn't the right scope. Changing this to the correct string (or adding it) should give the Assistant a Refresh Token, so it won't re-prompt the user unless the token is revoked.
I'm currently working with Doorkeeper (+Devise) for a Rails server and trusted iOS app. I've got an implementation working but I am confused on a few things. I have already read the wiki on this: https://github.com/doorkeeper-gem/doorkeeper/wiki/Interacting-as-an-OAuth-client-with-Doorkeeper
The current flow:
User logs in with username and password in iOS app. This is sent to https://myserver.com/api/log_in
Server checks credentials and logs in user with Devise. Then it responds with the access_token using the Doorkeeper::AccessToken.find_or_create_for() method.
iOS app saves this token and sends it in Authorization:Bearer the_access_key for all future API calls
So far so good (i.e. the above is working in my test). The questions I have are:
Refresh tokens - should the iOS app check if a refresh is required pro actively (i.e. comparing the access_token created_at and expires_in and then based on the result of this refresh the token), or should it just try to refresh on a 401, and if the refresh also gets a 400/401 then stop and log out user on iOS?
Changing password elsewhere and revocation of tokens. If the user changes their password on the website (using Devise), then all iOS app tokens for that user should be revoked. The refresh token should also fail and the user prompted to log in again on iOS app. I haven't found documentation suggesting best practice for this. From my tests this does not happen automatically in Doorkeeper, and the access_token is still valid for use. What is the best/correct way to handle this scenario?
Thanks in advance for your time.
I'm working on an iOS app which uses login via linkedin. I'm using a web view for the user to login and getting the token from linkedin. If i understand it correct, The token which i received is valid for short period and hence i need to make a call to linkedin with the existing token to get a new token with the extended period. Can you please let me know what api I should call to refresh the token to get the new token with the extended validity?
I'm currently using https://github.com/jeyben/IOSLinkedInAPI
According to LinkedIn there is no direct API to call to refresh a OAuth 2 token. What's supposed to happen is if:
The user is logged into LinkedIn
They have a current (less than 60 days old) token
pointing them to the authentication url will trigger a refresh of their token, without needing the user to log in.
In using the iOSLinkedInAPI library, this didn't seem to be the case.
What I figured out was, the authentication flow wasn't generating a login session cookie from LinkedIn in the iOS simulator or on a device, so requirement 1 was never being met.
You need to have the user login through the regular LinkedIn login page, and this gets you that session cookie, which you can cache. After you send the user to authenticate your app, you can load that cached cookie into the NSHTTPCookieStorage sharedHTTPCookieStorage each time you want to call the authentication URL to refresh the user's token.
I created a helper class with an example if you want to check that out:
iOSLinkedInTokenAuthorizer