I created "test-App" application in API Manager WSO2 with the grant types of "refresh-token" "SAML2", "PASSWORD" "Client Credentials" and "JWT"
I also Created a "test"
To use the webservices behind API manager, First, I should call https://localhost:9443/oauth2/token) to get a access-token
Unfortunately, if I call the link again, instead of receiving the same access-token, the system will generate a new access-token and the previous access-token would be expired. ( I think this link is more like refresh token rather than get the access token).
So, How can I Separate getting available access-token and Refresh-token link in WSO2 API Manager ?
In the latest versions of API Manager you have JWT tokens. When you request a new token it always generates a new token. But it doesn’t revoke the previous access token.
In the earlier versions of APIM, opaque tokens were supported and it has a different behavior. When you request a token, if it is not expired you get the same token.
Please read more about refresh grant here https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/refresh-token-grant/
If you have not done any other configuration changes, invoking https://localhost:9443/oauth2/token URL will always generate a new JWT token without expiring the earlier one. However, the token validity can be changed in the Dev Portal while generating the access token.
Related
I have the following scenario using the SAME client ID and client secret:
Get token 1 and call API A - works as expected.
Get token 2 and call API B - works as expected.
Go back and call API A with token 1. I get the error "Invalid JWT token. Make sure you have provided the correct security credentials".
Does that mean that all previous tokens get invalidated once a new token gets issued? Even if it has not reached its expiry?
If I use different client IDs and client secrets, I do not get the issue.
Adding a scope does not make a difference.
When you subscribe to an API using an Application and generate a token, you can use the same token to call another API subscribed using the same Application.
If you regenerate the token for a newly subscribed API, then the previous token will be invalidated.
From my DevOps team:
Long story short is that the device scopes weren’t being whitelisted. The config wasn’t there previously. We added the config to the Identity Server, and device scopes are now whitelisted.
I can now achieve my objective by adding a unique scopy to each call.
I believe this is the design of the JWT token flow of WSO2 APIM and IS. At a given time, there should be only one active JWT token for a single client ID, secret pair.
Ideally, since the token is not expired, it should return the same token however due to the size of the JWT, it is not practical to store the entire token in the persistence layer. Instead, only the JTI value is recorded and with it alone, KM cannot generate the same token in the second token call. Instead, it revokes the previous one and generates a new token.
Edit:
You can achieve this same client ID secret with multiple tokens use case by using device scopes (Or any other scopes). The difference is,
If scopes and clientID secret are the same in both token calls, 1st token will be revoked with the 2nd call.
If the scopes are different, without revoking the 1st token, 2nd token will be generated with different scopes.
In WSO2 Identity Server 5.9.0 I am using OAuth 2.0 Authorization Code. Access tokens are short-lived and are refreshed by refresh tokens. It implements current recommendation for SPAs and it works fine.
I also configured account disabling and I though that when I disable user which holds refresh token the user won't be able to get new access token. But /oauth2/token endpoint is issuing new tokens no matter if user is disabled or not. Is this expected? How can I deny given user to refresh access token?
I found a workaround. If locking is used instead of disabling then it works as expected. Submitted issue to WSO2.
I a trying to deploy WSO2 API manager (APIM) with a custom valid certificate and to use the option to encrypt in the DB token and secret user information.
I can use my certificate all right, its green even in chrome and everything will work: token emission, api consomption with a token and token revocation. But, as soon as I try to use the option to encrypt tokens I get an error when trying to use the token. Token expired. If I push the logging to DEBUG level, nothing unusual happens but for the token being considered expired and APIM returns expired credentials.
Any one know how to use this options ? And yes, I have tried to set that option from the get go to make sure is active before any user, api, tenant or anything else is created on the server. If I deactivate it, every thing works normally for subscription taken after deactivation.
Thank you.
I'm using the php-jwt package for my Restful API to authneticate users.
I am successfully authenticating Users and returning a token. However it seems that there is not a standard method to issue a refresh token. Although I understand the principle and the flow I'm not sure if there is a standard for the issuing of the refresh token?
If I unerstand correctly the flow is as follows:
App requests access
API checks for a valid User and issues a token which is to include a refresh token
refresh token is sent along with a request to renew, it is verified and if valid another token is issued?
But my question is how to issue the initial refesh token. Is this simply encoded in the token itself along with other data that I return such as username and email for example?
Thanks in advance. A.
I'm currently doing a bit of research of my own on JWTs. I believe you can give the client 2 tokens after auth: an access token and a refresh token. The refresh token can also be a JWT itself. What goes in it is up to you but I think what's important is that it is a valid/not expired token when used. If you can successfully validate it, then you can issue a new access token.
When we do oauth2 on google api, we get an access token and a refresh token. Suppose I'm writing a service and I want to periodically poll for changes I can just use refresh token to get fresh access tokens every time the current access token gets invalidated. This is called offline access.
Is there any way to do the same in facebook? Is there an offline access version similar to that of google api.
Thanks.
For offline access, you need to exchange your short-lived access token for a new access token, before it expires. Facebook has a single type of access token (no refresh tokens). A about-to-expire access token should fetch you a new access token.
To manually extend the tokens using a Graph API endpoint ::
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Quoting FB's documentation from here ::
Apps are unable to exchange an expired short-lived token for a
long-lived token. The flow above only works with short-lived tokens
that are still valid. Once they expire, your app must send the user
through the login flow again.
Do read the Expiration and Extending Tokens portion of the documentation link that I have mentioned for further clarification.
You can check the validity of your token from here , according to my token it expires never