I have a grails application in which I want a user to grant me access to his/her LinkedIn account to get information and show it in different ways.
I was able to do the following:
Get the authorization code
Use that authorization code to get the Access Token
I store that Access Token together with the expiration date in my User entity.
Refresh that Access Token when the expiration date is within X days from today.
Now the issue I'm having is that I would like the user to revoke or invalidate that token so that someone else can use the same computer and session and login to a different LinkedIn account.
Is this possible?
If not? Is there a way to delete the LinkedIn cookies? so that the user's LinkedIn session is finished and by being logged out from LinkedIn then they will have to grant access to my application again.
For reference:
I'm using Grails 2.1.1
I'm NOT using oauth to do the authentication, I just use the HTTPClient from Groovy to do plain and simple GET and POST requests.
Thanks a lot in advance!
I have managed to revoke token on API v2 with this call:
curl --request POST \
--url https://www.linkedin.com/oauth/v2/revoke \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID_HERE \
--data client_secret=CLIENT_SECRET_HERE \
--data token=YOUR_TOKEN_HERE
The easiest thing to do is just to delete the Access Token from your storage. This way you no longer have access to that account. When LinkedIn was using OAuth 1.0a, they had an Invalidate call which would invalidate the Access Token. But when they moved to OAuth 2.0, that went away.
Related
I'm making continuous API calls using snowflake ODBC connection. My access token expires in 10 mins and able to refresh using the refresh token using the below call. But after 90 days my refresh token is getting expired. but this API endpoint
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--user "<OAUTH_CLIENT_ID not encoded>:<OAUTH_CLIENT_SECRET>" \
--data-urlencode "grant_type=refresh_token" \
--data-urlencode "refresh_token=<refresh_token value>" \
--data-urlencode "redirect_uri=<OAUTH_REDIRECT_URI not encoded>" \
<https://mydomain.snowflakecomputing.com/oauth/token-request>
This call returns the access token, only when the refresh token is valid.
This returns 400 bad request and not sending new access and refresh tokens when refresh token is expired.
How do we automatically refresh refresh_token.
Is possible or should we repeat the login process and thats the only way?
There is no way to refresh a refresh_token. Once the refresh_token is expired, you will have to start the whole OAuth authorization code flow, this is based on OAuth 2.0 RFC.
Login with your username/password
Get the authorization code
Exchange the access token and refresh token using the authorization code from Step (2) above
When refresh token expired, repeat Step (1)
Snowflake OAuth is based on OAuth 2.0, you may refer to the RFC here:
https://datatracker.ietf.org/doc/html/rfc6749
When I read the instagram refresh token api, the request look like this:
curl -i -X GET "https://graph.instagram.com/refresh_access_token
?grant_type=ig_refresh_token
&access_token={long-lived-access-token}"
my question is, why did not pass the device id to the server side, if pass the device id, the server will check the device related with the token. the oauth 2.0 told that the server side would maintain the relationship about device id and the refresh token. where do I use the relationship? I think the refresh token should use the mechanism to keep more secure.
My application needs to log in to each user and generate the bearer token for each of them. By using the bearer token I can fetch the result using Twitter API v2. Anyone, please help me how can I do that.
The bearer token is specific to your application, NOT to the user. Bearer token / app only authentication is JUST for the app, not for the user. The first time you create the app on the Twitter developer portal, you get the bearer token which you should save in your password manager.
The account token - when a user is logged in to your app - is different. If you need this, you can also generate it on the developer portal FOR YOUR ACCOUNT ONLY, or you can make your app implement sign-in with Twitter via OAuth 1.0A. These tokens will enable your app to operate for a user and port new Tweets, like Tweets, create lists, etc.
In wso2 api manager there is Token API that can be used to revoke specific tokens by clients. This is for applications to handle token revocations during logout etc.
But how to revoke all tokens for specific user when I do not want to let user use API anymore? For example when I removed user account from my service.
Is there ani API that can be called from third party application to api manager with information that the user is removed and therefore api manager should invalidate user’s tokens.
In WSO2 API manager, the access token is generated for an Application. When a user is going to use an API, he/she first needs to Subscribe to that API by create an application for that particular API.
So, if you need to revoke a particular token, you should do it for the application. The Token API of the WSO2 API Manager provides a method to revoke the token.
curl -k -v -d "token=<ACCESS_TOKEN_TO_BE_REVOKED>" -H "Authorization: Basic <base64 encoded (clientId:clientSecret of the application)>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/revoke
AFAIK, there is no straight forward option to remove the keys for particular user, as users are subscribed to apis via Applications.
However you could do it by deleting the database entry for that particular user in IDN_OAUTH2_ACCESS_TOKEN table, where all the access token information are stored.
For more information for the Token api, please refer the following documentation.
https://docs.wso2.com/display/AM210/Token+API
On a related note: If you want to block a user from accessing APIs, you can use blacklisting feature.
See https://docs.wso2.com/display/AM210/Managing+Throttling#ManagingThrottling-Blacklistingrequests
Twitter has application-only authentication for their api: https://dev.twitter.com/docs/auth/application-only-auth
Twitter offers applications the ability to issue authenticated requests on behalf of the application itself (as opposed to on behalf of a specific user)
I want to do the same with doorkeeper in Rails, but I'm not sure how to do that. It seems to be only possible to authenticate users via a callback url, but how can I access my API using the applications context (only by using the app ID and app secret)
My first idea was to do a password credentials login with the app's ID and secret to obtain an access token that belongs to the application. Is this a bad idea? Is it safe from a security point of view? I am wondering because the app's secret is saved as plain text in the db, which is a no go for user authentication.
It is something you can definitely do : you can see on the example here where it generate a token with client_credentials, but no username / password :
curl -i http://localhost:5100/oauth/token \
-F grant_type="client_credentials" \
-F client_id="your_application_id" \
-F client_secret="your_secret"
Up to you after to check if you have a resource_owner associated to your doorkeeper_token.