I have created a app in bigcommerce and authenticated through oauth and also got an access tokens. But I am not sure about the expiry time of the access token.
Related
I have built one authentication using access token, refresh token and refresh token rotation. When a user login, the system generates one JWT token and one UUID hashed refresh token and its refresh token id then return back to user.
The init refresh token is a UUID token and it uses bcrypt to hash the uuid token then saving on the database. On the database, apart from saving the refresh token id and the hashed token, I also saved its expired date, its userId, active status and revoked ip.
The access token is passed inside Authentication header as a Bearer token for JWT verify. When one access token is expired, it calls /refresh-token with the old refresh token value and its id to get a new access token and refresh token pair. If the refresh token is expired, I will ask the user to login again.
I also have a refresh token rotation method to avoid refresh token reusing. When a refresh token reused, I will revoke and disable all the refresh tokens belonging to that userId family. So the user should login again to get the new access token and refresh token pair.
I know OAuth2 is a good protocol to implement access token and refresh token authentication. With my authentication design, how to improve it to make it with OAuth2?
Well it sounds like your UUID has all the powers of a refresh token to a client. And if the client is a browser it should never receive a refresh token - a secure cookie is considered better.
The main things I would recommend are the use an Authorization Server and to follow standard guidance around APIs, web and mobile apps.
OAuth provides a number of security design patterns. It is worth understanding the specifics of web and mobile clients. Also think about security related features such as auditing of tokens issued.
Here are some resources from Curity, where I work. The concepts here apply to any provider - it is the principles that matter:
IAM Primer
Free Authorization Server
Guides
I am trying to get an access token using my dropbox username and password.
I don't want to go and generate it from there site, as mentioned in there help documents.
No, Dropbox API apps should use the OAuth app authorization flow to get an access token for the user, so that the app doesn't have to directly handle the user's credentials. You can find more information on this process here:
https://www.dropbox.com/developers/reference/oauthguide
The method of generating it on the App Console that you mentioned only works for the owner of the app, but the OAuth app authorization flow can be used for any account.
Note that while this does require manual user intervention, it generally only needs to be done once per user. Once the app has an access token for a user, it can store and re-use the token for future API calls without further manual user intervention.
Dropbox API access tokens don't expire by themselves, though they can be manually revoked by the user.
I'm using the Google OAuth2 Javascript library to request an access token from users. I want to store the token in a database on the server.
To be able to access that user's data after the token expiration, I also need to store the refresh token. I know how to do that when using a server-side Google OAuth2 library (specify access_type=offline), but I need to be able to do it with the client-side Javascript library and it doesn't work.
You do not want to store the refresh token in the client! That would be akin to storing his username and password.
The Javascript client does not support type=offline, since that would expose the refresh token.
Your choices are :-
Generate and store the refresh token on the server
Have your client simply keep requesting access tokens as it needs them. Set immediate=true so there is no visible interaction with the user
I am developing a REST API. Currently I am trying to make it minimally secure. I am asking this question because most of the posts I found about this subject were quite old.
For authentication I found this schemes:
Basic authentication
AWS authentication protocol
OpenID
OpenID Connect
OAuth pseudo authentication
Basic Authentication and AWS authentication maintain the requests authenticated after a firts authentication because they keep sending signed requests.
I don't understand how the OpenID and OAuth authentication maintain a (second) request autehnticated? Do I need to check the access token with the OAuth/OpenID server per each request? How does this protects the REST API from receiving requests that have been altered?
Any other schemes that you recommend, advices or reading material about the subject are always welcome.
I'd talk about OAuth here
i) You create a web app and want to use google's OAuth API's.
ii) You register your app here and get credentials.
iii) Now, in the app you'd use Google's SDK to open the login page, enter your credentials and Google would verify it and send you access tokens and refresh tokens.
iv) You would make REST call to google's APIs with the access token and fetch user's data.
Now, coming to the question you asked -
An access token generally lives for 1 hour. Yes, any authenticated calls that you need to make to any of Google's API within one hour could be made with the same access token.
There is another type of token - the Refresh Token. At any time, your app can hit the provider's token exchange endpoint and exchange the refresh token for - refresh token + access token pair.
Now again, you have an access token that will help you for one hour and a refresh token that can be exchanged any time.
Refresh tokens live for as long as you want, till the time the user explicitly revokes permission to your app. (Tells Google that it doesn't not want you to access his resources!)
OAuth would make your REST API secure by ensuring that only authenticated and authorized clients can hit your API. But generally, OAuth is only used when there's a situation where a third party client needs access to a user's resource!
I'm using omniauth-salesforce gem to access salesforce data in my rails app. I'm able to login to salesforce using oauth and get the authorization code back in my app in no time. But how do I get the access token for further REST calls.
OAuth2 tokens expire after a certain duration. You can cache these bearer tokens per user per session (perhaps as a cookie?).
You will also want to capture the refresh token. The access token could expire while the user is still interacting with you. If so, you can use the refresh token to get a new access token without user intervention.
More details on OAuth2 can be find in the RFC 6749 definition.