I'm using the Facebook iOS SDK. In my code I have authorized my app with the default permissions, so my session is valid until the expiration date is reached. However, after the expiration date is reached, I attempt to reauthorize in order to "refresh my OAuth token", as asked before.
However, when I attempt to reauthorize, it displays a dialog saying I have already authorized my app, even though I expect it to just update my OAuth token without a dialog. According to facebook, this is possible:
When you redirect the user to the auth dialog, the user is not
prompted for permissions if the user has already authorized your
application. Facebook will return you a valid access token without any
user facing dialog.
However, I do get a dialog and I'd like to know how I can refresh the access token without getting the dialog.
A recent commit in the Facebook iOS SDK project included an "extend access token" method for extending an expired token.
More information about this and the deprecation of "offline_access" is in Facebook Developer's blog post.
A possible work around is to request offline_access as a permission. Then the access token only expires when:
The user logs out of facebook
Changes their password
Revokes permissions for your app via the facebook website
If anyone has a better answer id like to know too. Requesting offline access for my app could look a bit suspicious (even though the only reason I need it is for non-expiring access token, I wont actually be accessing a users account when their not using my app).
Related
I am working on graph api to get user's liked pages videos. I have read https://developers.facebook.com/docs/ and requested for user_action.videos from Facebook. Now things becomes more confusing for me when i read about 1- OAuth Authentication, 2- temporary/long-lived access token and 3- test user as well.
1- As i believe as per my reading that OAuth Authentication for user is not required as it is done by FB SDK automatically. Is it right and if its wrong then how to authenticate user while using FB login dialogue as there is no URLRequest call in latest FB SDK login button?
2- After login through dialogue, I am getting an access token which is an expiry token and to keep user logged into my App; I have to convert that expiry token to long-lived token for 60 days every time when token is going to expire?
3- Is there any need for creating Test User in Facebook developer portal. Is there any role of it in development?
Any help would be greatly appreciated.
I'm currently working with Doorkeeper (+Devise) for a Rails server and trusted iOS app. I've got an implementation working but I am confused on a few things. I have already read the wiki on this: https://github.com/doorkeeper-gem/doorkeeper/wiki/Interacting-as-an-OAuth-client-with-Doorkeeper
The current flow:
User logs in with username and password in iOS app. This is sent to https://myserver.com/api/log_in
Server checks credentials and logs in user with Devise. Then it responds with the access_token using the Doorkeeper::AccessToken.find_or_create_for() method.
iOS app saves this token and sends it in Authorization:Bearer the_access_key for all future API calls
So far so good (i.e. the above is working in my test). The questions I have are:
Refresh tokens - should the iOS app check if a refresh is required pro actively (i.e. comparing the access_token created_at and expires_in and then based on the result of this refresh the token), or should it just try to refresh on a 401, and if the refresh also gets a 400/401 then stop and log out user on iOS?
Changing password elsewhere and revocation of tokens. If the user changes their password on the website (using Devise), then all iOS app tokens for that user should be revoked. The refresh token should also fail and the user prompted to log in again on iOS app. I haven't found documentation suggesting best practice for this. From my tests this does not happen automatically in Doorkeeper, and the access_token is still valid for use. What is the best/correct way to handle this scenario?
Thanks in advance for your time.
I have a website where people can post blogs. I want the blogs to be automaticly posted to a Linkedin account connected to the website. So the person posting the blog is not the owner of the linkedin account.
I use the Sharing API from LinkedIN to do this, but this requires the administrator of the linkedin account to refresh the Oauth token every 60 days. I know this is a security thing to prevent illegal use of accounts. But in this case its always my own linkedIN account. Is there a way around this? mabe by using the app key and secret instead of the acces token?
The LinkedIn API docs (https://developer.linkedin.com/documents/handling-errors-invalid-tokens) say:
In the case the access token is already expired, your application will
go through the same authorization flow as previously described.
However, the login dialog will be shown to the user as they will need
to grant access to your application again.
so there's no way around that. But what you could do is go through this flow before the access token has expired. The docs say:
Simply have your application go through the authorization flow in
order to fetch a new access token with an additional 60 day life span.
When the following conditions exist:
User is still logged into Linkedin.com The current access token isn't
expired (within the 60 life span) We will automatically redirect the
user back to your redirect_uri without requiring them to reauthorize
your application. If they don't exist, we'll prompt them to login and
then redirect them.
In my iOS app I am logged into Facebook via iOS Settings.
If the user removes the app from Facebook or changes his password, the token is expired and invalid.
My app detects this and calls:
[FBSession.activeSession closeAndClearTokenInformation];
then asks the user to login again.
However, after the user is logs in, the authToken provided by the FBSession object is the SAME expired token.
This is a problem because I use the auth token server side to authenticate certain requests.
Right now it seems the only way to remedy this is to remove the FB account from the iOS settings and recreate the FB Account.
Am I wrong in my assumption that closeAndClearTokenInformation is supposed to reset everything? Is there another method I should use?
I'm working on an iOS app which uses login via linkedin. I'm using a web view for the user to login and getting the token from linkedin. If i understand it correct, The token which i received is valid for short period and hence i need to make a call to linkedin with the existing token to get a new token with the extended period. Can you please let me know what api I should call to refresh the token to get the new token with the extended validity?
I'm currently using https://github.com/jeyben/IOSLinkedInAPI
According to LinkedIn there is no direct API to call to refresh a OAuth 2 token. What's supposed to happen is if:
The user is logged into LinkedIn
They have a current (less than 60 days old) token
pointing them to the authentication url will trigger a refresh of their token, without needing the user to log in.
In using the iOSLinkedInAPI library, this didn't seem to be the case.
What I figured out was, the authentication flow wasn't generating a login session cookie from LinkedIn in the iOS simulator or on a device, so requirement 1 was never being met.
You need to have the user login through the regular LinkedIn login page, and this gets you that session cookie, which you can cache. After you send the user to authenticate your app, you can load that cached cookie into the NSHTTPCookieStorage sharedHTTPCookieStorage each time you want to call the authentication URL to refresh the user's token.
I created a helper class with an example if you want to check that out:
iOSLinkedInTokenAuthorizer