I'm trying to get a token valid for a long time and I am not sure how to proceed.
I'm sending data to a Google Sheet on a daily basis so a 24h token doesn't allow me to have this automated.
Thanks
I have since found a way to make my script work. In the script, do not include the access token, ONLY the refresh token.
By having both, it prevented the refresh token of getting a new token and was simply using the expired token.
The generic way of obtaining tokens expiring longer than 24 hours is to get a refresh token. You can start by reading the instructions here:
Using OAuth 2.0 to Access Google APIs
Get Refresh Tokens
Refreshing Access Tokens
Related
Normally Google Access token is valid for one hour but I want to set it to no expiry. How can I do that, please help
Google access tokens are only good for one hour this is Oauth2 standard and can not be changed. You will need to use a refresh token to request a new access token. No idea if that is possible with dialogflow you will likely have to request your user authenticate again after an hour.
OT: Thats an impressive app you are working on if your users will be using it beyond the access token limit.
According to [1], OAuth token maximum lifetime is 1 hour (3600 seconds) and it cannot be changed.
If your intention is that your application may continue working without having to "manually" recreate a new token, then you could try creating a session client that scopes to multiple requests, as described in the Best Practices Dialogflow reference [2]:
"To improve performance, you can use a single instance of a session client object for multiple requests. The session client reuses the same access token for as long as it is valid (typically one hour). Once it expires, the session client refreshes the access token automatically, so you don't need to recreate the session client to refresh your access token. Your request that also refreshes the access token can take an extra second or two".
Please, try this and let me know the results.
[1] https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
[2] https://cloud.google.com/dialogflow-enterprise/docs/best-practices
I'm here because I wasn't satisfied with what I found on google.
I am generally building SPA's, so for me the process was simple: At succesful login generate a jwt and use it for every request I make from the client.
Someone told me that I should refresh that token and send back a new one for every request I make. Does this make sense for me to do? I mean, if someone is trying to hack me, sniffing the requests will give the hacker the same tokens I receive, so what's the catch?
I mean, what if I launch a request before another one is finished? Teoretically I would send the same token twice and one of the requests will be rejected.
How is this correctly handled? I'm sure there is more to this than what I could think myself.
It is a compromise between security and convenience.
No, you don't need to refresh the token on each request. But you definitely want your JWTs to expire at some point. This is to protect you from JWT theft where malicious user could use stolen access token to gain access to target resource indefinitely.
Here is what you can do to handle token expiration:
Implement a refresh token flow. You will issue an access JWT and a refresh JWT when authenticating. Once access JWT has expired you will use refresh JWT to obtain new access JWT.
Implement sliding expiration. After the half of the JWT validity time has expired you would issue a new JWT. An example of it can be found here. I would recommend to include a deadline to when a token can be expired. For example, initial token validity is for 20 minutes and deadline is 8 hours. After 8 hours of sliding expiration you will stop issuing new tokens.
I have implemented Google oauth2 server flow for web. Now I'm testing it. as I have already given permission to my Application in my own google account I'm not getting a Refresh Token (that is completely normal) but I'm revoking access to my app and trying to sign in again but still I don't refresh token (I get access token and other parameters).
I tried removing cookies after revoking access but it didn't help either. Why I don't get a new access token (while google document says that I will get a new refresh token if the access permission is revoked).
Note That: I don't want to use access_type=offline as I want the users see that my website is only asking for email and basic profile information.
Update:
I found this in google documentation:
Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.
And I think that I have reached the per client/user limit. Does anybody know how to increase this limit?
Question 1
We are currently using ADFS and OAuth (using Windows Server 2012 R2 with ADFS 3.0). Our test applications (both WPF and mobile apps) can successfully authenticate and get an Access Token and a Refresh Token. We can after that continue to use the Access Token until it expires and after that use the Refresh Token to get a new Access Token.
So far so good, but the problem is when the Refresh Token expires, we need to force the user to enter their credentials again. Our aim is to have the user to only enter their credentials once and then use a short lifetime for Access Token and a Persistent lifetime (or really really long) for Refresh Tokens.
According to some blog posts when using a Refresh Token you should get a new Access Token and sometimes also a new Refresh Token, but in our case we never get a new refresh token, so that one eventually expires.
Is this even possible using ADFS 3.0 and OAuth to have a persistent Refresh Token? or get new refresh tokens from time to time so that the user doesn't have to enter their credentials again? or is it possible to have a really long lifetime for refresh tokens.
Question 2
There is also a lot of different properties you can set in ADFS that we are not sure of
TokenLifetime - This is the access token lifetime? what is maximum value?
SsoTokenLifetime - This is the refresh token lifetime? what is maximum value?
PersistentSsoLifetimeMins - what is this?
PersistentSsoEnabled - I guess should be set to true to have refresh tokens working
This post describes a semi-official answer. Here's an example of setting the required values -
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -IssueOAuthRefreshTokensTo AllDevices
Set-AdfsRelyingPartyTrust -TargetName "RPT Name" -TokenLifetime 10
Set-AdfsProperties -SSOLifetime 480
For the specified RPT, this would issue access tokens with a lifetime of 10 minutes and refresh tokens to all clients with a lifetime of 8 hours.
The only semi-official guidance I have been able to dig up is this slideset:
http://www.oxfordcomputergroup.com/wp-content/uploads/Access-the-future-Alex-Simons.pdf
which states:
Configurable Refresh token support
Lifetime:
workplace joined device 7 days (PSSO lifetime)
Non-workplace joined device max. 24 hours.
Persistent refresh token support in ADFS sure would be nice, but it seems they see the feature mostly as a tie-in to their mobile device management offerings.
I am a fair way through implementing an actionscript OAuth library which I am initially testing with Google's Drive Api.
I know how you are supposed to refresh an access token using your refresh token but my question is how do I test it?
How do I make my access_token expire so that I test my code that catches the error, attempts a refresh and then re-loads the initial request? If I can only do this once a week (or however often they expire) it's going to take a while to get it right!
Thanks
If you're looking to test your code, you don't actually need to invalidate or expire the access token. Simply make a (say) Drive call with a null access token and you will receive the same 401 response that you would have got with an expired access token.
Well, judging by the lack of responses to this question I am assuming that there is no way to do this.
This page:
https://developers.google.com/youtube/v3/guides/authentication#installed-apps
describes how to revoke an access or refresh token by using this url:
https://accounts.google.com/o/oauth2/revoke?token={token}
but then says:
The specified token can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token is also revoked.
So if you just want to revoke an access token you aren't able to.
I think the only solution is to wait for the access token to expire (seems to take an hour) then go about testing your app.
I'll be very happy if anyone tells me a faster way to make the token expire.
I handle this testing by simply making note of an expired access_token. Then when I need to test how my app deals with an expired token I simply give the app that expired token to work with. This way, for example, I can test that requests with an expired token will fail as expected.
The easiest way of doing it is using the OAuth Playground 2.0
https://developers.google.com/oauthplayground/
In step 2 especially, you can try refreshing your access token with a refresh token.
Additionally, in the setting (the gear icon), you can set up your own OAuth Credentials to test it out for your own API project.
Im using nodemailer. When setting the options for the transporter object, you can specify an 'expires' time. There isn't any documentation I found on that option but I'm sure you can figure it out. :)
I haven't found a way to shorten the expiration time on an access token either.
In fact you can't even generate another refresh_token unless you revoke access. I don't think you can generate another refresh_token even if you let the access token expire, although I have to wait an hour to test this.
I did find out that if you send the refresh_token and the authorization token is still active, you just get the same live token back although the expiration time is reset.