Does Twitter Oauth allow a user to authorize a consumer for a long period of time?
For example, if a user uses a consumer app that generates status updates automatically, can the user authorize that consumer once and then let it send status updates for the following 12 months?
Yes. When the user presses the "Allow" button, the 3rd party app gets an access token that has an indefinite expiration time. Currently tokens are valid until the user revokes them.
http://apiwiki.twitter.com/OAuth-FAQ#Howlongdoesanaccesstokenlast
When a user Allows your application they are returned to you with the original request tokens. These have a limited window before expire to avoid brute-forcing. Those request tokens can be exchanged for access tokens which currently do not expire.
Users can revoke the access tokens at anytime though.
Related
I have a webapp which lets the user OAuth 2.0 to youtube & after exchanging the authorization code I can capture the access_token & refresh_token into my database .
Can these tokens be maliciously used later by me , say after 2 weeks , to delete the poor user's video using /yoube/v3/delete or some other operation like insert badly formed captions ..
& if this could be done isn't this a security breach cause the poor used who has accidentally consent ouath into my application & got his access_token & refresh_token & other info captureded by my back-end
So basically when someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything
If yes? what can the poor user do to unlink & how would the user even know that video's are getting deleted by someone else ?
Access tokens are short lived tokens which will work for one hour after that time you will need to use the refresh token to request a new access token.
Your refresh token should not expire except.
if it has not been used for six months.
If a user authenticates your application they get a new refresh token, If they authenticate your application again then will get another refresh token. You can have up to 50 outstanding refresh tokens all will continue to work until you go over that number then the first one will expire.
The user can also revoke your access though their account at any time.
Don't bother storing the access token just store the refresh token, and make sure that if your user authenticates your application again that you replace the refresh token in your database with the new one.
If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever.
Note: it can take a while to go through the verification process with the YouTube API start early.
I would like to ask the user to authorize my application only once and then be able to use his credentials to make DocuSign API call even when he is not connected to perform automatic operations.
I am currently using Authorization Code Grant but how can i do to never ask the user to authorize my application again ?
An excellent question. Here's an answer:
When using authorization code grant with the user, include scope extended in addition to scope signature
After the user authenticates and grants consent, your app will receive an access token (good for 8 hours) and a refresh token (good for 30 days).
Then when your app needs to use the DocuSign API, use the access token (whether the user is present or not). If it doesn't work then use the Refresh Operation to obtain a new access token (good for 8 hours) and a new refresh token (good for 30 days from the time of the refresh operation)
Result: Your app will always be able to use either its current access token for the user to do operations on behalf of the user, or will be able to get a new access token for use.
Caveat: Your app will need to use the refresh operation at least once every 30 days otherwise the refresh token will expire. In that case, the user will need to re-authenticate via your app and the Authorization Code Grant flow.
Corner cases: Since the user can withdraw consent at any time, your app should gracefully handled that case.
Note Since the refresh token lasts 30 days, you'll want to store it in durable storage (eg a DBMS), not just in memory.
I have a client side application that uses microsoft graph api.
In the following scenario:
User Logs into application
User removes consent while token is active
User performs actions that calls API. App can still call APIs even though consent was removed until token expires after 1 hour
Should the token be invalidated and the API routes should return 401? Is there a API I can call to check if the application has permission? If not am I safe to assume that as long as the token is active I can make API calls?
If this users logs our and logs back in everything works as expected since the user is required to allow the app to the scopes required.
This is correct, Access tokens cannot be revoked and are valid until they expire. Refresh tokens however can be revoked thereby preventing an application from retrieving a new Access Token.
I'm writing an app that needs to periodically get reports and update campaigns for a few users. The app can access their accounts now when they login and authorize, but what I want/need is for oauth to give access to the app to access their accounts whenever the script has to run. Is this possible?
Yes, it's possible. The relevant documentation is here.
You need to add access_type=offline to your request for an authorization code. The user will then be prompted to grant offline access to your script in the consent screen, and once he accepts, the response to your app will include a refresh token. Refresh tokens don't expire and can be used to generate new access tokens.
Note that if you lose a refresh token, you'll need to request authorization from your use again, this can be done by including prompt=consent in the request.
We are working on a project that uses Asana's API for integration. When a user authorizes the app to use Asana, we get the access token which is valid for an hour. In addition to that we also get a refresh token that can be used to renew the access token in future.
Could you please let us know how long will that refresh token stay valid for?
Refresh tokens are valid for 10 years, or until the user explicitly revokes the authorization.