I'm interacting with a custom APEX service which obviously require OAuth authentication. I can easily authenticate and authorise my application. Everything works fine.
However, the access token I receive tends to expire.
Of course, I can refresh it by sending a refresh_token. Sounds great.
The problem is I don't receieve a refresh_token in a response from SalesForce.
I do send requests to [instance].salesforce.com/services/oauth2/token, I also tried to using login.salesforce.com/services/oauth2/token, but I cannot find 'refresh_token' in the response. There's everything apart from it there!..
Please check Selected OAuth Scopes section, which is needed to be enabled Perform requests on your behalf at any time in order to get the refresh token.
Сreate > Apps > API (Enable OAuth Settings) > Selected OAuth Scopes.
I've solved the problem thanks to my wonderful colleague.
I should have added 'refresh_token' to the scope when retrieiving an auth code.
Related
After users sign in, grant permission, and redirect back to my app. I got something like this
{"state"=>"xxx",
"code"=>"yyyy",
"id_token"=>"zzzz",
"user"=>"{
....
}"}
Which is everything I need to create a user account, but the OAuth flow isn't finished yet. For a normal flow, we would use that code to fetch access token from https://appleid.apple.com/auth/token
https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
My question is, should I do that? It seems to add no value to the current situation.
Basically generate_and_validate_tokens is only if you are using web-based login. If you are using Authenticationservices, then framework handles all the authorisation logic for us. Hence fetching access token from https://appleid.apple.com/auth/token is not required.
Apple is returning id_token directly after user authorization in the call-back response if you request for it, which seems to be your case as well. If you just need users identity to create an account or sign in the user to an associated account on your side, you do not need to fetch access/refresh token by exchange code against the /token api. Just make sure to validate the id_token as mentioned in Verify the Identity token before getting the user details from it.
Exchange of authorization code for access/refresh/ID token will be necessary if you do not request id_token in the initial authorization request and you need users identity to proceed. You can then fetch it as per Retrieve the User’s Information from Apple ID Servers
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
With LinkedIn's planned deprecation of their JS SDK, is there any way to complete the OAuth2 flow and obtain an access token from the client-side, without using a server-side proxy to exchange the auth code for the token?
According to this SO post, LinkedIn does not allow for an implicit grant flow. It's from 2015, but appears to still be relevant.
Is there any alternative way I can obtain an access token for a user who authenticated with LinkedIn, without hitting a self-hosted proxy? My application only needs basic profile data for the user.
Edit
To provide more context, the error I receive when making the second request to https://www.linkedin.com/oauth/v2/accessToken is No 'Access-Control-Allow-Origin' header is present on the requested resource. The same request made from postman works fine and returns the access token. I understand this CORS issue comes down to browser policy. Right now I'm testing from localhost over https. Once the front end code is deployed to a proper domain, will the error persist? Is there any alternative way to get around this?
Thank you!
I am working with Cloudfoundry UAA
I am not sure if it is possible in standard oauth2.
The situation is ->
User logs into the app
He receives an access_token and refresh_token
He can keep on acquiring new access_tokens which has original scopes
His access permission changes so new scopes are added for him
Now I need a new access token, without him to log in again.
Is it possible that I can use the same refresh_token and ask for access_token with modified scopes?
Thanks in advance!
In a word no. This would be a violation of the user's Trust.
And in case you have not heard, that is a bad thing.
There is an Internet Draft RFC OAuth 2.0 Incremental Authorization (put forth by Google)
There is some talk about it here.
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.