Openresty: Manually refreshing the id token without refreshing the session token? - openresty

I was looking at the readme at https://github.com/zmartzone/lua-resty-openidc and I saw that there was a refresh_session_interval option which supposedly "refreshes the users id_token after X seconds without requiring re-authentication".
This works for our situation but I was wondering if there was some config or option so that we could manually trigger that refresh ourselves instead of passively waiting.
Thanks in advance.

Turns out that it isn't possible yet to request a new id token so we went with a different solution.

Related

How to set the expiry time of an applications token to -1 for WSO2 APIM 2.1.0?

I have tried creating a new application and setting the expiry time to -1 on the UI for the store which looks like it worked based on what I saw on the UI. However when I tried a curl to get a token it defaulted to 3600 seconds still.
I then looked into it and found another way in which I can edit the identity.xml default to be -1 and restart WSO2. Apparently that is supposed to change it for all new applications and leave existing ones as is. So I did that and created a second new application. Again the UI looked like it was working but when I did the curl for the token it was still 3600 seconds.
Please could someone tell me if I am missing something or have done something wrong. I need to create just one application that has a token that never expires ( or at least lasts an extremely long time )
Thanks
When generating the Token from the Store UI, the API Manager uses the Client Credentials grant to generate the Access Tokens (explicitly passing the validity period).
As per the shared comment, you are trying to generate an access token using the Password Grant. In such a scenario, we can perform the following configurations (Doc) to generate the User access token with an infinite lifetime
Configure the identity.xml to configure newly created applications with an infinite token span
As you have already performed, update the UserAccessTokenDefaultValidityPeriod value in the <apim>/repository/conf/identity/identity.xml with larger values (example: 9223372036854775) to generate a long-lasting token
<UserAccessTokenDefaultValidityPeriod>9223372036854775</UserAccessTokenDefaultValidityPeriod>
Once the configurations are made, please do restart the API Manager node to take effect on the changes and try the scenario again with the Password Grant with a new Application
Hope this helps to achieve your requirement

Does IdentityServer4 have a mechanism to alert a user their refresh token is about to expire?

Currently my solution has refresh tokens with sliding timeout of 1 hour, and an absolute timeout of 6 hours.
My requirement (which I was given, for the record I don't like this!) is that I must alert the user that their session is about to expire and that they must interact with the system if they want to continue.
Does IdentityServer4 have a mechanism for handling this?
If not, is there a preferred approach to implementing this functionality?
No, there is no built in function for this, its up to the clients to ask for new tokens when they are about to expire.
The easiest solution is to use the IdentityModel.AspNetCore NuGet package and you can read the documentation here

Where is the authentication (user/password check) in Jhipster with JWT

If I use JHipster + JWT and log in with wrong data for the first time, I get an error message (this is correct, of course). Unfortunately, I can't find where the authentication(user/password check) takes place.
The client calls'api/authenticate' and lands in the JWT filter. jwt does not yet exist here. And so it goes on in the chain.There are now 12 spring filters, but unfortunately I haven't found the check in any of them.
The'DomainUserDetailsService','UserJWT-Controller' are not called.
Question: Does anyone know where the authentication happens?
Thanks for the answer in advance
It's done in the AuthenticationManager which is built in SecurityConfiguration.java and uses DomainUserDetailsService
This is called when sending a POST to /api/authenticate which is handled by UserJWTController
I suppose you only looked at GET on /api/authenticate in AccountResource.java which is used only for checking that user is authenticated with a token.

How do I test refreshing my google access token using a refresh token

I am a fair way through implementing an actionscript OAuth library which I am initially testing with Google's Drive Api.
I know how you are supposed to refresh an access token using your refresh token but my question is how do I test it?
How do I make my access_token expire so that I test my code that catches the error, attempts a refresh and then re-loads the initial request? If I can only do this once a week (or however often they expire) it's going to take a while to get it right!
Thanks
If you're looking to test your code, you don't actually need to invalidate or expire the access token. Simply make a (say) Drive call with a null access token and you will receive the same 401 response that you would have got with an expired access token.
Well, judging by the lack of responses to this question I am assuming that there is no way to do this.
This page:
https://developers.google.com/youtube/v3/guides/authentication#installed-apps
describes how to revoke an access or refresh token by using this url:
https://accounts.google.com/o/oauth2/revoke?token={token}
but then says:
The specified token can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token is also revoked.
So if you just want to revoke an access token you aren't able to.
I think the only solution is to wait for the access token to expire (seems to take an hour) then go about testing your app.
I'll be very happy if anyone tells me a faster way to make the token expire.
I handle this testing by simply making note of an expired access_token. Then when I need to test how my app deals with an expired token I simply give the app that expired token to work with. This way, for example, I can test that requests with an expired token will fail as expected.
The easiest way of doing it is using the OAuth Playground 2.0
https://developers.google.com/oauthplayground/
In step 2 especially, you can try refreshing your access token with a refresh token.
Additionally, in the setting (the gear icon), you can set up your own OAuth Credentials to test it out for your own API project.
Im using nodemailer. When setting the options for the transporter object, you can specify an 'expires' time. There isn't any documentation I found on that option but I'm sure you can figure it out. :)
I haven't found a way to shorten the expiration time on an access token either.
In fact you can't even generate another refresh_token unless you revoke access. I don't think you can generate another refresh_token even if you let the access token expire, although I have to wait an hour to test this.
I did find out that if you send the refresh_token and the authorization token is still active, you just get the same live token back although the expiration time is reset.

Twitter API - Reasons for "invalid or expired token"

What are the possible reasons that can cause token to become expired (besides having the user un-authorising the app)?
My problem is that I have an app with several thousands of users, all API communication works perfectly but for some users I am getting the invalid or expired token error, my initial though was that they are users who canceled the authentication to the app but I've contacted some of them and they haven't revoked the access.
Any ideas what other issues can cause that error?
Check the integrity of an access token at any time by calling the GET account/verify_credentials while using that access token.
Its mentioned and by research I came to know that:
Your access token will be invalid if a user explicitly rejects your
application from their settings or if a Twitter admin suspends your
application. If your application is suspended there will be a note on
your application page saying that it has been suspended.
Why is my twitter oauth access token invalid / expired ?
Check this post: invalid / expired access tokens.
There is one post in google groups that says:
You don't get a second chance, and this is by design. OAuth requests
have a unique signature; once a particular request is submitted, it
can't be submitted again.
If they enter the pin correctly, all is well, you get an access token.
If they enter the pin wrong, you get 401 Unauthorized - which is
expected.
But if they then try again to enter the pin, even the correct pin
shows as unauthorized.
Check this link for the above reference.
Some suggestions by twitter employee for the same problem:
I guess there are two things I would suggest at this point: 1.) Go to
your application settings and use the "Reset keys" tab to reset your
consumer key and secret, then update those values in the app and
verify that you still see the same behavior. 2.) Try passing
oauth_callback in your request_token call. Honestly I don't think this
will make a difference, but I want to try and be as rigorous as I can
here.
Also check this discussion saying:
You need to use the oauth_token and oauth_token_secret returned from
the oauth/access_token call instead of the one in your app's settings
in dev.twitter.com
I was getting same error then I changed (access_token) to (access_token_key) and it worked for me.
I hope it will help someone.
In addition to the comments everyone else has made, sometimes the twitter api will return a "invalid token" error when the token isn't the problem. I've noticed it the most when I've built a request string that doesn't parse correctly. For example, once I was getting that error when I was passing in screen_name's that had symbols that weren't URI-encodable. I also have gotten it when I passed in empty values like this (where the cursor is empty):
https://api.twitter.com/1/followers.json?cursor=&screen_name=whatevah
Could you give us the specifics of the calls that are returning this error?
Have you confirmed that the tokens worked at one time? In an OAuth system I worked on, there was an error in how tokens were securely stored and retrieved that caused a small percentage of them to become corrupted. If you can confirm that the tokens worked in the past, that's a good first step.
When you retrieve the tokens from storage, are they unchanged? Is it possible for them to get corrupted with the way you're managing them?
Put some logging in place to keep track of when tokens work and fail. Does a token ever start working again after it has failed once? If you fail to use a token for 30 days, does it expire? With a detailed log, you can start identifying the expired tokens and look for patterns in use to point to what might cause them to expire.
Be sure to explore other possibilities as well. How do users revoke tokens in Twitter? Is it easy to accidentally do that? For users with failed tokens, do they have other authorized apps that have stopped working as well?
First of all nice question Ran.
I want to ask you that have you gone through Twitter developers??
Sometimes it becomes ambiguous that which token to use since Twitter provides two pairs of tokens and the library.One of them is a secret key.
You need to select those token which starts with your Twitter ID followed by a hyphen.
Now your question is this error happens with some of yours users. So here is the answer that an app itself finds ambiguous to choose the token.
Though I might not be completely right, but I recommend you to try this solution at least once.
It might be possible these users have not revoked access. But in my experience an access token can also get expired after the user (in test cases: me) changed his/her password.
When the user does that, you can no longer use the REST API of stream API on that user's scope. Please adapt your application to handle with that situation. Revoke the user's session, so when he comes back to your application, he/she can be redirected to Twitter again to start a new OAuth access token process. Or send him/her an e-mail to kindly ask to reconnect. Vimeo/Windows/... are some of the people handling expired tokens with e-mails.
Have fun!
My God's answer is correct but I will share my answer from another question explaining how it could be your computer's clock:
If your OAuth flow was working one day and failing the next, check your computer's clock. I was running a Vagrant box that somehow had its time set to the day before, which caused the Twitter API to return {"code":89,"message":"Invalid or expired token."}. This may also appear as 401 timestamp out of bounds. You can use this command to update your clock in Ubuntu:
sudo ntpdate time.nist.gov
Alternative method if ntpdate isn't available on your system:
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
if your Access Token=738629462149844993-FcWHjfcucCLGEosyGGQ38qI******iC then don't forget to mention hyphen (-) followed by your USERID.
May be this will be helpful for you.I faced the same problem.
Please find the below piece of code snippet
$code = $tmhOAuth->user_request(array(
'method' => 'POST',
'url' => $tmhOAuth->url('oauth/access_token', ''),
'params' => array(
'oauth_verifier' => trim($params['oauth_verifier']),
)
));
if ($code == 200) {
$oauth_creds = $tmhOAuth->extract_params($tmhOAuth->response['response']);
// echo '<pre>';print_r($oauth_creds);exit;
$tmhOAuth->reconfigure(array_merge($tmhOAuth->config, array(
'token' => $oauth_creds['oauth_token'],
'secret' => $oauth_creds['oauth_token_secret'],
)));
$code = $tmhOAuth->user_request(array(
'url' => $tmhOAuth->url('1.1/account/verify_credentials')
));
}
The error invalid or expired token can be linked with the fact that one is not paying.
Without paying one will only be able to create the dev environment (sandbox).
As I have answered here:
Counts is only available to paid premium accounts, and one needs to pay for premium access.
Use this link to Apply for access.
Try to regenerate the keys again and save them properly.
For me, it happened because after regenerating one of the keys I did not update other keys. Therefore removed and regenerated all 4 keys again (CONSUMER_KEY, CONSUMER_SECRET, ACCESS_KEY, ACCESS_SECRET). And tried to execute it again and it worked this time.