I'm building a Shopify app in .NET. I successfully use Shopify .NET library to get an access token. However, it seems to be a temporary token, as it expires after some time. The functionality that needs access to the store runs as a background cloud service, therefore I cannot simply re-authenticate in the browser.
How can I either:
Get a permanent access token, or
Get a refresh token that I can then exchange for a temporary token?
Also, is there an "official" HTTP response code to tell that a token has expired?
Thanks!
Related
I'm having an Angular application that performs user authentication via Microsoft account. For this, I'm using the MSAL JS library which does work fine to authenticate the user. But we have the requirement where our backend server requires to call Microsoft Graph APIs. Now the issue is that the MSAL library returns access_token which has got a life span of 1 hour and so it can not be used once it is expired from our backend server.
So I'm looking for a way where I can get an authorization code, which can be exchanged from our back end server to get the access token and refresh token. And as we've got the refresh token as well, we can refresh the access token whenever it gets expired considering a refresh token is still valid.
I'm not sure if this is possible via the MSAL library or not, or if there is any other alternative available for SPA to support the case, I've described above.
It is possible with MSAL.js 2.0 which is a drop-in replacement for MSAL.js 1.x and supports the authorization code flow for Single page applications. With MSAL.js 2.0 you can use the authorization flow with PKCE and refresh tokens in the Microsoft identity platform to keep users signed in while third-party cookies are blocked.
Read more here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
We're developing a IOS App, it uses GoogleSignIn and GoogleAPIClientForREST to gets the user's calendar.
The normal flow is that the client user log into Gmail, then authorizes it, and then the client get the access token, and use the token to request the user's calendars,
Now we want to do this, our App gets the access token, uploads the token to our server, then server uses the token to request the user's calendars,
Eventually, our server will regularly use much number of different users' access token to request Google Calendar api.
Do Google support this? Are there any restrictions or limit?
Thanks!
The main problem you are going to have is that an access token is only good for one hour. So unless you are expecting the user to login every hour and give you a new access token for your backend application this is not going to work.
Second i am not sure how IOS signin works i am not even sure that you can get the code to give you an access token to upload to your backend server. Not to mention that passing around an access token even on a secure connection probably isnt the best design idea.
You might be better off codding this all server sided and having your IOS application rather than connecting via ios directly.
I am not an IOS developer so cant really help you much.
In fact, the client just uploads refresh token to server, then server use it to get access token, and use access token to get calendar events.
How does the Uber Mobile SDK handle renewing access token?
I don’t see there is explicit way that SDK provides for developer to renew access token manually but I’d like to do so.
Essentially, what I’m trying to doing is that my mobile app handles SSO and pass the access token to my server, Server would then use that to do all kinds of request with Uber directly.
But when it comes to managing the access token, I still prefer to let the mobile app to do it. Hence, I’d like to renew the access token whenever I deem necessary, so that I can always provide valid token to my server.
FYI: I’m authenticating using SSO(i.e Native )
You can instantiate a RidesClient and call refreshAccessToken(usingRefreshToken:completion:)
https://github.com/uber/rides-ios-sdk/blob/master/source/UberRides/RidesClient.swift#L537
For Android:
There is automatic refresh code in the network stack. A refresh token is utilized in the networking stack to refresh the access_token once it expires. So once you get access_token by SSO - even if it was expired - will be refreshed once you get it - so you can use it and pass to your server without any concern is it token expired or not - token will be valid.
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.
I read the documentation in the Youtube developers website it does not talk about any validity.
Does the OAuth 2.0 standards define any validity period or is the authorization token valid till the user revokes it manually ?
The OAuth spec defines that the token should expire shortly after its granted, so will it expire after I get the
access and refresh tokens ?
And can I use this access token for all future API requests or do I need to get a new token periodically ?
I'm assuming you are talking about the authorization code, you're mixing the terms a bit here.
From the OAuth 2.0 draft:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
After using it once for getting the access token, you can not use it again. You also don't need to retrieve an authorization code periodically. You do this only when you have no access token for a user, but want to request his data.
Your access token some time expires. You know when by either looking at the expires_in value that got send with it, or by doing a request to the API and getting an access token expired error back. Then you can use the refresh token to get a new access token without the user being involved.
Very useful step-by-step guide about how to get access and fresh tokens and save them for future use using YouTube OAuth API v3.
PHP server-side YouTube V3 OAuth API video upload guide.
The good thing is, you do not need to worry about the expiry of the tokens, as the script in this guide checks, saves, and updates the token in a txt file for future access.
{"access_token":"XXXXXXXXX","token_type":"Bearer", "expires_in":3600, "refresh_token":"XXXXXXX", "created":000000}
We use at http://presentationtube.com and it works fine with thousands of users.