I have a problem with "Resumable item upload" (http://onedrive.github.io/items/upload_large_files.htm).
If the access token expires during the upload session I receive a 401 Unhautorized error even if I use the refresh token to obtnain another access token.
You are supposed to handle this in your application - refresh token if this happens and then continue uploading. Current chunk should be properly saved so you can continue with the next one.
Related
I have two cookies being stored: JWT and refresh token, both are httponly; path=/, so they are send on all requests, including the API (which doesn't use Bearer, but instead reads the JWT directly from the cookies).
The implementation is as usual, the JWT is short lived, and the refresh token is used to get a new one. The refresh token is rotating and after used is invalidated.
On the client, refreshing the token is no issue. When a 401 is returned by the API a call is made to /auth/refresh-token and the request is retried.
On the server however, (e.g. on getServerSideProps) it seems to be quite difficult to refresh the JWT. What I have attempted is to create a custom server and a middleware that checks when a JWT is expired and attempts to refresh it.
I can think of two issues with that, first is that the custom server is called on every resource, that includes all json, js, static files, etc... that Next.js serves. When two requests are made with the same tokens (I can handle this when making API calls, but Next.js also sends requests to the server and I cannot control those):
1. Two requests with expired JWT are sent to the server
2. The back-end receives the requests and on both determines it needs to refresh the token
3. Eventually one of the requests will complete, invalidating the refresh-token
4. The other request now has an invalidated refresh token and cannot get a new JWT
Second issue, what if the user doesn't receive the response, scenario:
1. A request with an expired JWT is sent
2. The back-end refreshes it and sets the new cookies
3. The back-end then has to read lots of data from a database which takes a few seconds
4. User closes the page before receiving the response
5. At this point the user has an invalidated refresh token and an expired JWT because the response with the new cookies was never received
How are these cases usually handled? It seems like it would be a common issue with rotating refresh tokens, but I couldn't find anything useful on this online.
You can follow this practice.
Save refresh token in the http-only cookie
No need to save JWT in the cookie for better security and keep it in the response of refresh token as well as login endpoint.
Save JWT expiry in a normal cookie
Call refresh token endpoint to get new JWT when expiry token is not present or getting 401 error.
In getServerSideProps also you can call the refresh token endpoint always as you don't need to persist JWT anywhere.
You may need to get the cookie from req.headers.cookie and pass it in the header when you are calling the refresh token endpoint from the server.
//inside getServerSideProps
const browserCookie = req.headers.cookie;
const refreshJWTTokenResponse: any = await refreshJWTToken(browserCookie);
//service call
export async function refreshJWTToken(refreshTokenCookie: any): Promise<{}> {
let headers = new Headers();
headers.append("Cookie",`${refreshTokenCookie}`);
const options = {
method: 'POST',
headers: headers,
credentials:'include',
};
...
}
According to https://developers.facebook.com/docs/instagram-basic-display-api/reference/refresh_access_token/ , to refresh a long term access token , which you can get from user access token.
I am calling GET request on URL
https://graph.instagram.com/refresh_access_token
?grant_type=ig_refresh_token
&access_token={long-lived-access-token}
It returns
Sorry, this content isn't available right now
Is there any other way by which I can refresh access_tokens automatically by calling GET requests on URLs.
If you are already have the Long-lived access token then you can't refresh it manually
When user login using facebook login button what you get is a short lived access token you use this endpoint to get a long lived access token
curl -i -X GET "https://graph.facebook.com/{graph-api-version}/oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={your-access-token}"
after you got the long lived token it's will refresh once per day automatically if the user is using your app means the token is being used, if the token is not being used after 60 days the user must go through the login flow again in order to get a new token read more here
I am trying to design a secure API, which then will be used by a PWA on desktop and mobile.
I have the following flow:
A POST request with the user's credentials is issued to endpoint /session at login.
If the the credentials are correct it will set a Secure, HttpOnly cookie which contains a refresh token with Path=/session/renew. This way it's only sent to that endpoint, cannot be accessed from JavaScript, and will only be set on HTTPS.
The response will also contain a JSON object with an access token. This will be used for every other authorized request. It will be passed along in a Authorization: Bearer ${access_token} header. The token's max age is 30 minutes.
Before the access token expires I can call to /session/renew with the cookie set and this will give me new access token and will also set the new refresh token in the cookie with the same properties as above. The old tokens will be revoked on the server.
The access token is stored in a Redux store. Unfortunately, this poses a problem.
Now if open a new tab, I can request a new token on /session/renew, but with this setup I will "stole" the previous tab's ability to request new tokens as those will be revoked by this call and the user will just get logged-out on that tab.
I see a few solutions, but none seems to be secure enough to me:
Don't revoke the old access and renew tokens when /session/renew is called
Store the access token in session or local storage
I did quite some research and still don't see what would be the correct (and not too complicated) solution here.
I am accessing Google Directory API to list all ChromeOS devices with maxResults set to 100 and pageToken to fetch the next page. Once the token expires, I refresh the token and try to continue with the page where i was stopped previously using old page token. I get 400 error code.
Can any one let me know how can i resume to fetch the results once the token is renewed?
https://developers.google.com/admin-sdk/directory/v1/reference/chromeosdevices/list is the API
INFO: com.google.api.client.auth.oauth2.TokenResponseException: 400 OK
{
"error" : "invalid_grant"
}
my code is
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(js)
.setServiceAccountId(emailId)
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKeyFromP12File(new File(privateKeyPath)).build();
System.out.println("SERVICE ACCOUNT SERVLET CALLED");
credential.refreshToken();
this method is running fine but suddenly it starts to give error.
Possible reasons:
1) I was having a similar problem caused by the time on my server being incorrect. Make sure your system clock is synchronized.
2) You should reuse the access token you get after the first successful authentication. You will get an invalid_grant error if your previous token has not expired yet. Cache it somewhere so you can reuse it.
3) Make sure that you pass the access token, and not refresh token as that fails. When you run, it turns the OAUth2 refresh token into an access token and passes that to the service. If you pass the raw refresh token, this is not acceptable for API access without turning it into a short-lived access token.
4) You might have reached the refresh token limit. Certain Google APIs have this, some explanation you can find here: https://developers.google.com/compute/docs/authentication
5) You also can revoke it. Go to your Google API Console ( https://code.google.com/apis/console/ ) and revoke your Client Secret under Client ID for installed applications. Be sure to also update your code with the new Client Secret