I have generated (manually through the web UI) multiple access tokens during testing, and all seem valid. I have probably also generated some and not actually noted them down anywhere.
How do I:
a) list access tokens
b) remove/revoke unneeded access tokens
I have looked here: www.dropbox.com/account/security and I can see my app listed, but there is no mention of access tokens. I do not want to remove the entire app, just some of the access tokens for it.
The app in question has "App folder" access, which means that it can only access one particular folder (and children).
Note: When I say "all seem valid" - I mean that each token can successfully be used to perform actions on the specific app folder at play.
As per the Dropbox forum:
a) The Dropbox web site/API don't offer a way to list individual
access tokens.
b) There are several ways to revoke access tokens.
The user can revoke all access tokens for an app via the account
security page by clicking the 'x' at the right of the app's row. This
will revoke all access tokens for that app-user pair though, and
doesn't offer a way to revoke specific/individual ones.
If the app
uses the "app folder" permission, the user can delete the app folder
itself, which will cause any further API calls for that app-user pair
to fail.
The app can revoke individual access tokens using the
/2/auth/token/revoke API endpoint. That will revoke only the
individual access token used to make the call itself. You can use it
multiple times to revoke any/all access tokens you have.
https://www.dropboxforum.com/t5/API-support/How-to-revoke-an-access-token-Other-answers-suggest-security/m-p/218788/highlight/false#M11497
Related
I have an interesting use case for you today.
My team and I are building a free, third party, calculator tool that enables users to calculate metrics using their store's data.
We are looking for ways to pull in the necessary data and perform the calculation to show users... so far the best we've come up with is asking the users to export a report from Shopify and upload it into our application.
Looking for a user experience similar to this:
User opens our tool, application is hosted on custom-domain.com
Somehow the user authenticates or logins in to Shopify, or approves our app temporary access to their data.
Our app performs the calculation for the user, ending data access
Any ideas as to how this authentication or access of data can be facilitated? Shopify doesn't seem to have a 'login with Google' kind of authentication button.
Thanks!
There are two modes for authenticated access, namely Online and Offline. What you need in this scenario is Online Access.
From Shopify Docs
Tokens with online access mode are linked to an individual user on a
store, where the access token's lifespan matches the lifespan of the
user's web session. This type of access mode is meant to be used when
a user is interacting with your app through the web, or when an app
must respect an individual user's permission level.This access mode
must be explicitly requested in the authorization phase.
It should also fulfill your needs related to ending data access.
An access token created with this access mode is temporary, and is guaranteed to expire after some amount of time.
When a user logs out of Shopify admin, all online mode access tokens created during the same web session are revoked.
Once you have the access token, you can use Shopify API to query data so that your users don't have to upload any files manually.
Our current setup is
IdentityServer4
Angular + ASP.NET Core application
Authentication for the app via implicit flow/oidc.
We want to provide APIs for customers, i.e. third party clients, with restricted access (separate set/subset of claims). These clients are mostly non-interactive scripts that download data.
This means that we cannot use any flow which (occasionally) requires user interaction. Personal access tokens, like in github, or some other generate once, reuse for a long time API key or token would be needed.
The long token lifetime would not be a security issue, because the token should only allow access to a few read-only APIs and only for that customer's data - so the responsibility to handle the token(s) falls onto the customer.
The customer should be able to create and revoke such API-access tokens based on their claims. Some users might only claims to access certain APIs.
It would be good if we could later prevent that the user re-uses the same token for multiple clients because of licensing requirements but that is perhaps an entirely new question
How could I achieve this?
I thought about doing this via a custom grant, similar to a delegation grant: user uses app, which calls the asp.net core API, which performs auth with that custom grant, persists that token somewhere (just a plain table in the database full of customer-api-only tokens? I'm not sure about that) and shows it to the user - which can also retrieve it later from storage.
I'm thinking about doing the "delegate"-authentication via our API so that we don't leak the secrets into the Angular application.
I think that we then should be able to have either long-lived access tokens or at least refresh tokens via that custom grant.
2017-12-12 how I think I could solve it
We want a process where the user generates something in our application (i.e. via our client) and this something can later be used by the user's third party client to access the API - or request an access token and then access the API.
We want this access to be tied to the user. This includes
- Disabled user
- Lockout
- Specific claims (e.g. tenant)
This does not lend itself well to a solution that issues access tokens directly, because the token would remain valid even if the user was disabled or locked out. Which means that we cannot use a custom grant or IdentityServerTools to issue tokens directly.
Therefore we should use the client credentials grant, or something similar to it, as this could yield new, short-lived access tokens.
User actually generates a new client, which is pre-filled with claims from the user (such as the tenant - which is immutable) and has a claim that corresponds with the user. This happens transparently. Password should be user-supplied with the option to change it. We only store the relation between user and issued client-ids, no passwords.
We have to create a custom grant, which works similar to client credentials, but also checks if the corresponding user is active etc. (which I think should be possible by injecting UserManager)
Resulting access token lifetime is short, interaction with our APIs is expected to be short-lived.
Assuming it is safe and easy enough to write such a grant, we should be able to cover everything we need.
Of course, I might have completely overlooked something :)
I have implemented Google oauth2 server flow for web. Now I'm testing it. as I have already given permission to my Application in my own google account I'm not getting a Refresh Token (that is completely normal) but I'm revoking access to my app and trying to sign in again but still I don't refresh token (I get access token and other parameters).
I tried removing cookies after revoking access but it didn't help either. Why I don't get a new access token (while google document says that I will get a new refresh token if the access permission is revoked).
Note That: I don't want to use access_type=offline as I want the users see that my website is only asking for email and basic profile information.
Update:
I found this in google documentation:
Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.
And I think that I have reached the per client/user limit. Does anybody know how to increase this limit?
I need to give out Dropbox api access tokens and then be able to revoke access at a later time, then I need to be able to generate more access tokens to give out without the user verifying my application again. I thought I would be able to do this using the authorization code multiple times, but it only lets me generate one access token for each authorization code. Does anyone know how to do this without getting more input from the user?
I want to use Google APIs with OAuth 2.0 for authentication / authorization.
Is it currently possible to grant access to only people you have in a private circle?
Basically i want to secure a place on the web. To grant google+ users access, I just drag them into a specific circle.
Nothing built in, but you could build this. What you'd need to do was sign-in (with offline access) to your application as the 'admin', and just grant it access to that one circle. The app would have recheck the people.list every so often (using a stored refresh token), and record the latest list of users. Then, when a regular user came to sign-in, you would allow that sign-in the check against the list of stored friends before granting them access to the private area. You could even give the users who didn't have access a "let me in" button, which would share a post prefilled to share with you, so they could ask for access.
You can see how to retrieve the list of people here: https://developers.google.com/+/web/people/#retrieve_a_collection_of_people
If you didn't add friends very often, then you can make the people.list update happen when a user tried to access who wasn't part of the group, to check they hadn't been added.