I'm trying to implement a "Login with twitter" functionality into my site and I've been digging up some tutorials on it.
Correct me if I'm wrong, the oauth_token and oauth_token_secret values changes whenever a user requests for them. Also I noticed that there isn't any practical use for the stored oauth_token and oauth_token_secret
As such is it necessary to store and update oauth_token and oauth_token_secret frequently in the database?
You're correct that the OAuth tokens may change if you request them again -- but if you don't request them again, they don't expire for a very long time. Therefore, the best strategy is to request OAuth tokens once when your user registers, store them in the database, and keep using the same ones, without requesting new ones the next time they sign in.
Of course, when you make a call later, you may find that the OAuth tokens are now rejected. This can happen for a number of reasons, most likely the user has revoked access from the Twitter settings page. At that time you should request a new set and overwrite the old ones. But it is unnecessary to do so unless the old ones stop working.
Related
I have a webapp which lets the user OAuth 2.0 to youtube & after exchanging the authorization code I can capture the access_token & refresh_token into my database .
Can these tokens be maliciously used later by me , say after 2 weeks , to delete the poor user's video using /yoube/v3/delete or some other operation like insert badly formed captions ..
& if this could be done isn't this a security breach cause the poor used who has accidentally consent ouath into my application & got his access_token & refresh_token & other info captureded by my back-end
So basically when someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything
If yes? what can the poor user do to unlink & how would the user even know that video's are getting deleted by someone else ?
Access tokens are short lived tokens which will work for one hour after that time you will need to use the refresh token to request a new access token.
Your refresh token should not expire except.
if it has not been used for six months.
If a user authenticates your application they get a new refresh token, If they authenticate your application again then will get another refresh token. You can have up to 50 outstanding refresh tokens all will continue to work until you go over that number then the first one will expire.
The user can also revoke your access though their account at any time.
Don't bother storing the access token just store the refresh token, and make sure that if your user authenticates your application again that you replace the refresh token in your database with the new one.
If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever.
Note: it can take a while to go through the verification process with the YouTube API start early.
I've seen this issue in a lot of questions, but so far, none seem to apply to my situation.
The problem we are having is we are getting an "invalid_grant" error when we attempt to get an access token. This only happens to some accounts, but when it does happen, in every case I looked at, the refresh token worked before, and now has stopped working. This is happening far to frequently for it to be customers revoking access (seems to be nearly 20% of the channels we manage in the last couple weeks have been invalidated).
As a note, we have a backend process that uploads the videos to our customer's YouTube channels.
We use OAuth2 to get a refresh token, here are the parameters we send...
scope = "https://www.googleapis.com/auth/youtube",
client_id = "",
response_type = "code",
access_type = "offline",
approval_prompt = "force",
redirect_uri = "http://www.us.com/OAuth/YouTube"
NOTE: for client_id we use the email address that is in the Google API manager (or was, I just looked and it is no longer there). We used to use the client ID from this page, but that caused us problems as well. Did this change? Should we be using the client ID from this page now?
We exchange the code that is returned for a refresh and access token and store the refresh token in our database.
The backend process exchanges the refresh token for an access token and this is where we seem to be getting the "invalid_grant" error.
Guaranteed only a single access token for the channel is in use at any time (25 limit doesn't apply). We don't store the access token, we get a fresh one every time we process a channel.
Any ideas what might be happening? Something to look for? See note above about client ID. This might have something to do with it, but I'm hesitant to try it since using the "Client ID" from the API manager caused problems before.
Guaranteed only a single access token for the channel is in use at any time (25 limit doesn't apply). We don't store the access token, we get a fresh one every time we process a channel.
This statement is incorrect: Access tokens can be used as many times as you need while they are still good (for an hour).
Answer:
"invalid_grant" basically means that your refresh token no longer works. The only solution to the problem is to request access again and get a new one. The question should be why is it expiring in the first place.
Assuming that the user did not revoke access, and that the refresh token has been used to request a new access token within the last six months. This is probably an issue with it being over written.
When a user authenticates your application you are given a refresh token. This refresh token is associated to the client id of your application and the user who has just authenticated. If said user then authenticates your application again you will get another refresh token. Again this refresh token is associated to the user and your projects client id. Both of these refresh tokens will work. Your user can keep doing this up to 25 (Note I think the changed it recently to 50 but I haven't tested it with all APIs yet) once they have hit this magic number the first refresh token will expired and if you try and use it you will get an invalid grant.
The only solution is then to just request authentication again. It is important to always save the most recent refresh token that your user has granted your application. In the event (like me) you have an application that is stored on a number of servers all requiring authentication. Your going to have to tell them not to refresh it to many times or they will have to go back and reauthenticate the first one that they expired.
If this is happening with ALL of your requests. You can also check that you server is sync with (NTP) and that you are sending the payload of your request in the post field. Not attached to the authentication end point like a HTTP GET (been there done that).
Here are the possible reasons why a token stops working and becomes invalid:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail scopes.
The user account has exceeded a certain number of token requests.
As you can see, it's not recommended that you request a fresh one every time you process a channel. As also mentioned in Token expiration:
If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.
With regards to the use of client_ID, it is usually needed to call the sign-in API as mentioned in Creating a Google API Console project and client ID.
And lastly, this Google Groups discussion - OAuth 2.0 400 - error:invalid_grant and ideas? might also help.
I have developed a rails application that allows a user to login using their google account and then the application fetches the emails and parses them for information.
All this works fine, but I am facing issues with access token become invalid, hence I have been looking into refreshing the token. I found some code at:
https://stackoverflow.com/a/14491560/718087
With this code I have been able to get a new access token that works. But I have a few questions:
How many times can I use the same refresh token I got the first time? or do I need update my refresh token as well, each time I get a new access token? note: application is setup with offline access.
Do I need to refresh the token before it expires or it will still return to me a valid token after the old access token has expired? This will allow me to decide an approach as to when I should refresh the tokens - a: right before fetching the emails, b: automatically before the token expires via delayed jobs or something (this would add quite a overhead though)
I have gone through the api docs but could not find answer to my these specific questions. Please excuse my overly detailed queries.
Thanks,
Aditya
Refresh tokens never expire, unless revoked by the user. You should store it safely and permanently. You should definitely not go back and get new refresh tokens over and over, because only a certain number can be understanding per user/app combination, and eventually the older ones will stop working.
In answer to your question: "Do I need to refresh the token before it expires or it will still return to me a valid token after the old access token has expired?"
I have a rails app, and I check for expiration & refresh token existence:
if client.authorization.expired? && client.authorization.refresh_token
#then I refresh here...
So the answer is, Yes you can (and probably should) wait until your access token expires, and then refresh it.
This is an open ended question that I was curious what people thought: Does it make sense, when you have an app that uses twitter Oauth for authentication to set a "Remember Me" cookie? This way, it wouldn't have to hit the Oauth service and could recreate the session if it's been in a set time period?
I hope this is clear. Curious about your thoughts.
It just depends on how long you want to wait before you send users back through the Sign in with Twitter auth flow. If you have cookies last for a long time they don't have repeat the flow as often but if someones steals the cookies they will have access for a longer period of time. On the downside if they log out of Twitter and the cookie expires they then have to authenticate with Twitter. It really depends on what kind of security and token expiration makes sense for your web application.
OAuth has nothing to do with cookies. You should be storing your access token and using it until it expires. The access token expiration is a server controlled process and you must handle a case where you are given HTTP Unauthorized and go get a new access token.
Having a "remember me" functionality in your app is your app logic. You still can control if you want to show Twitter's auth screen to the user every time or not. Just keep in mind that if your expiration timeout is longer than twitter's access token lifespan then you'll have to make end user authenticate again.
It shouldn't matter. When the app uses OAuth, it gets back a token that it should store with your account information. Then, when you come back, it can look up the token and use that for access to your Twitter account.
If you don't have a cookie, you can just log in to the app, and it will have your token stored. If you do, then you can skip that login step. In neither case will you have to log in to Twitter again (until the token expires).
I have a Twitter web app that allows users to submit tweets from my site. However they have to re-login every time they submit a new tweet. Is there a way to save the OAuth session and don't prompt the login screen until users clear their browser cache?
When you get the callback from Twitter after the user has validated you, you'll receive an auth_token in the headers of the request; you're meant to cache that token, and supply it every time the user makes a request.
It sounds like you're not caching that token and supplying it when the user makes a request.
You need to store the oauth_token, you can use the same for all requests.
On the FAQ of Twitter API
How long does an access token last?
We do not currently expire access
tokens. Your access token will be
invalid if a user explicitly rejects
your application from their settings
or if a Twitter admin suspends your
application. If your application is
suspended there will be a note on your
application page saying that it has
been suspended.
you need a db tables called user and user_tokens. Inside the user you have: id, user_oauth_secret, user_oauth_token. Inside the the user_token you need this columns: id, user_id, token, created, expires. make sure this token is unique (and long) with some random hash. now you can save this token to the user's cookie and find the right oauth data later.
You need to store two tokens.
When you make the OAuth request the first time, it will show the Twitter auth screen. After auth, your OAuth callback page will get two query string parameters, "oauth_token" and "oauth_token_secret" for the user. You need to store these (probably in a database) somewhere.
Then, when you request OAuth permission again from Twitter, send the two tokens, and the user will automatically be authorized.
You shouldn't have to code this yourself. There are plenty of OAuth libraries out there.
You have to maintain a long session with the user and save the access tokens. Cookies are commonly used to recognize users.