I can't seem to find doucmentation on the exact period of time on when an old FCM token becomes invalid after a new FCM token is issued to the same device. Any insights would be appriciated.
Related
I am working on an integration for the Wix API. As the documentation mentions the access token lasts 5 minutes, and the refresh token should be used to request a new Access Token and refresh token pair.
However they don't mention how long the refresh token lasts? Am I therefor to assume that unless the App is removed and the permission revoked to the store that a refresh token will last indefinetly?
For example EKM mention in their documentation that refresh tokens last 15 days, but Etsy refresh tokens last 90 days.
Is there anyone with experience that has discovered their lifetime?
Sorry - as I continued the process to integrate I came accross another area of the documentation I hadn't spotted before which states:
Note:
Access and refresh tokens are user-specific. Access tokens are valid for 5 minutes. Refresh tokens are valid as long as the app is installed on the user's site.
I'm currently working on a push notification API that will work with several apps at once, handling notifications and reducing programming time for future apps. It's already partially working, as I'm able to register and receive notifications on Android devices.
Eventually, one of our apps is gonna send broadcast notifications to registered users. But some tokens might be expired, which will lead to a GCM failure. I already tested, and it seems that sending an array of tokens to GCM with a single http call is working really well, as devices with valid tokens got their notifications.
What I wasn't able to find searching GCM documentation was a way to get more details in case of failure. For example, when I send a notification to two users, one with a valid token and the other with an invalid one, I got this result :
{
"multicast_id":7625209716676388798,
"success":1,
"failure":1,
"canonical_ids":0,
"results":[
{"error":"InvalidRegistration"},
{"message_id":"0:1466511379030431%c4718df8f9fd7ecd"}
]
}
We can see that one of the messages failed to send, but what I'm looking for is a way to get more details, ideally the token that leads to a failure, so I can remove it from my database.
Any way to achieve that ? Using the message_id maybe ? Or is there any solution for me to find invalid tokens stored in my database so I can clear them ? I might have missed something in the documentation, even a link to it would be useful.
Based from this documentation, the GCM server will respond to your server with some information about the token you used to try to send the push notification.
According also to this link, if the app server fails to complete its part of the registration handshake, the client app should retry sending registration token to the server or delete the registration token. Wiping old tokens from the GCM servers can be done with ÌnstanceID.deleteToken().
Check these links:
How to remove gcm id from server which is not used
GCM get invalid tokens when sending to multiple devices at once
I'm trying to acquire a 2 legged oauth2 access token for google's storage api through a service account.
The relevant documentation is contained here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I first tried attempted to acquire the token through their HTTP/REST api. I eventually gave up being unable to get past a 400 response with the following details:
{ "error" : "invalid_grant" }
I then turned to the recommended method: using the java Google api client library (I'm using scala).
val credentialBuilder = new GoogleCredential.Builder()
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setJsonFactory(JacksonFactory.getDefaultInstance())
.setServiceAccountId(Configuration.GoogleAPI.ServiceAccount.email)
.setServiceAccountPrivateKeyFromP12File(new File(Configuration.GoogleAPI.ServiceAccount.pkcs12))
.setServiceAccountScopes(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL))
def updateToken = {
val credential = credentialBuilder.build()
credential.refreshToken()
// ... do stuff here with token
}
Running the above, I get a TokenResponseException, with a payload identical to the error I was getting directly accessing the REST api. 400 Bad Request, invalid_grant error.
Doing some research (on both stackoverflow and elsewhere), I find that the most common reasons for this error message are:
1) The local clock is not synced with Google's servers. I suspected this even back when I was using the REST api because I've encountered this issue for other services before. I'm fairly sure its not a clock issue however, because I have repeatedly synced my clocks with an external ntp server:
sudo ntpdate -s ntp.ubuntu.com
2) The other common cause for this error is setting the service account client ID incorrectly. Most people set it to their service account client id (ending with "apps.googleusercontent.com") instead of their service account client email. Its pretty clear that this isn't the problem, since I'm correctly pointing to the email (the docs instructed this, so I followed the directions), ending with "#developer.gserviceaccount.com".
I'm stuck. I've checked the user documentation, the javadocs, various forums. The error message isn't very helpful (probably designed that way, since it's a security endpoint).
What other possible causes for this error exist? What can I do to get my service account access token?
If you are using OAuth2.0 to access a google analytics account then there could be one more reason of getting invalid_grant. As per developer docs:
If the application attempts to use an invalidated refresh token, an
invalid_grant error response is returned. The limit for each unique
pair of OAuth 2.0 client and Google Analytics account is 25 refresh
tokens (note that this limit is subject to change). If the application
continues to request refresh tokens for the same Client/Account pair,
once the 26th token is issued, the 1st refresh token that was
previously issued will become invalid. The 27th requested refresh
token would invalidate the 2nd previously issued token and so on.
I am building an integration component using a graphical framework who has a pre-build OAuth2 connector.
This framework required following fields for OAuth v2:
Grant type
Scope
Auth Server URL
Client Id
Client Secret
Access Token
Refresh token
I need to get data from Google Analytics API, so I went to Google Dev Console
(https://console.developers.google.com/project/927890000889/apiui/credential). I generated a 'Client ID for web application'. From the parameter of this object I was able to fill some of the parameters above
Grant type : 'authorisation_code'
Client Id : 'RANDOMCHARSam5o37nsiu730d.apps.googleusercontent.com'
Client Secret : 'RANDOMCHARSiSwBA5OH5qYLUa'
Then using Google Oauth Playground (https://developers.google.com/oauthplayground) I was able to fill the missing bits
Scope : 'https://www.googleapis.com/oauth/analytics'
Auth Server URL : 'https://accounts.google.com/o/oauth2/auth'
Access Token : 'RANDOMCHARSQAQv4HRF5-JsQEzUS61lj2YremyCocv0PQ4-agpzJe'
Refresh token : 'RANDOMCHARSLPJnL4FPaDc2KP6V8kCzjjHO2Kj4Np_3X0'
Everything works fine, I am authorised to access and I get data from Google Analytics, but just for a while, after few minutes if I retry I receive an authorisation failure error.
I believe that the problem is related to the expiration of the Access Token, but I don't know how to solve that.
Worth to mention that this activity it's batch (no human interaction), so nobody can request a new access token.
The integration framework is not extensible (I cannot write code to renew the code) so I believe there's a way to get a access token that never expire or some other mechanism to achieve the same result.
Bottom line, I am not sure if I approached the requirement correctly since the beginning (Client ID for web application).
Any help is much appreciated,
Giovanni
Access tokens typically expire after 60 minutes. If you have a refresh token you can use the refresh token to get a new (valid) access token.
This doc explains how to do that:
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
To answer your overarching question, yes, you are approaching everything correctly. All you need to do is handle the case where the access token has expired by refreshing it. Also, when you originally requested the access token the response should tell you how long it's valid for, so you should only refresh that token if it's expired.
You can use Refresh tokens to make it more long used.
The Google Auth server issued Refresh tokens never expire,
A token might stop working for one of these reasons:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail scopes.
The user account has exceeded a certain number of token requests. There is currently a limit of 50 refresh tokens per user account
per client.If the limit is reached, creating a new token automatically invalidates the oldest token without warning.
This limit does not apply to service accounts.
from: https://developers.google.com/identity/protocols/OAuth2
I've been implementing connectivity to Quickbooks via the v3 API with ColdFusion, and have most everything working except reconnect (https://appcenter.intuit.com/api/v1/connection/reconnect). I can get customer info, create/update invoices, etc, but no luck with reconnect.
From my app I get an Error Code 22 (Authentication required), but I'm sending the same auth header that I send for any of the other API call to access a protected resource. The oauth spec does not specifically have a "reconnect" action so my question is what specific oauth properties need to be included in the auth header for the Quickbooks reconnect call?
From the oauth 1.0 spec is it the headers for Consumer Requests an Access Token?
oauth_consumer_key
oauth_token
oauth_signature_method
oauth_signature
oauth_timestamp
oauth_nonce
oauth_version
oauth_verifier
Or is it the header sent for accessing a protected resource
oauth_consumer_key
oauth_token
oauth_signature_method
oauth_signature:
oauth_timestamp
oauth_nonce
oauth_version
Or, is it some other header set?
Also, I've tried using the Dev Playgorund to test reconnect, and from there I get a
24 - Invalid App Token
So I'm at a loss at this point. For what it's worth Disconnect works fine :)
Any help, guidance, suggestions would be appreciated.
Thanks
The first issue if you are doing things in the order you specify is that you cannot disconnect first and then subsequently reconnect. The reconnect API must be called with a valid access token, as the current access token will be invalidated and a new access token will be issued.
Secondly, there is a window for calling this API to refresh the 6 month life of the access token, it must be called in the last 30 days. This allows your app to refresh the token without prompting the customer again.
However in all cases if you disconnect, or the customer manually disconnects you cannot call the reconnect API. You need to take them through the authorize flow again.
hope that helps
Jarred
To test reconnect from developer playground, use the following steps-
1. Navigate to IPP Playground- Go to Manage My Apps->Click on your app
Fill in consumer key and consumer secret in links below.
Prod: https://appcenter.intuit.com/Playground/OAuth/IA/?ck=<>&cs=<>
Stage: https://appcenter-stage.intuit.com/Playground/OAuth/IA/?ck=<>&cs=<>
Alternatively, you can navigate to the Manage page for your app on stage or prod and click ‘Test connect to app (OAuth)’. Screen shot attached.
2. Enter the duration you would like for the issued OAuth tokens (e.g., 3600 for successful Reconnect) in the ‘Access Token Duration’ field. Screen shot attached.
3. Click on the Connect to QuickBooks button, go through OAuth flow to authorize a connection to a realm.
4. Under the resulting Post-Connection Interactions heading, click ‘Reconnect API Test’. Screen shot attached.
5. A new page will launch where your OAuth tokens are displayed. Copy these values to your application to test Reconnect
As Jarred mentioned that for dev/live apps, there is a window for calling this API to refresh the 6 month life of the access token, it must be called in the last 30 days.
I received this error as well. Error Code 22 (Authentication required) for me meant that the OAuth signature was wrong. This was confusing because I couldn't find this error listed in the Quickbooks documents for reconnect.
I was signing the request as a "POST" request instead of a "GET" request which is what Quickbooks requires for calls to the reconnect endpoint.