Currently users are being issued a new token each time they login in, so there are several outstanding tokens linked to each user. This means the user cannot be deleted.
How can I delete tokens?
I'm looking for resources rather than help with coding please.
Update:
been researching my query today and I found flushexpiredtokens which I set up as a command and ran in the CLI and got rid of the expired tokens. However the current tokens are still preventing the user from being deleted as they are an outstanding token.
I'm very new to Django. I have some questions now:
do I need to set up a cron job?
can I someone make a function that when a user presses delte, it first expires all current tokens, then flushes the expired tokens and then deletes the user?
I ran the flushexpiredcommand I created in the CLI, should these commands be executed from the UI?
Related
I am using django-rest-framework-jwt in my backend and calling API's from Angular Project.
When user try to login on multiple Browsers, each time a new token is generated for the user on new browser. And every token is valid.
What I want is that when user is already logged in in one browser and he/she tries to login on second different browser the previous token for first browser should be invalidated.
In a simple word, NO, you can't just avoid generating tokens unless you made a little twist in django-rest-framework-jwt module. But that's not pure jwt anymore.
JWT stands for JSON Web Tokens and it's a mechanism for exchanging data between computer systems that happens to be convenient for generating authorization headers that can be used to implement statless auth in web apps.
SO
stateless means that you don't track user tokens, You just verify them. If token is valid and the payload is valid, then OK. It doesn't care how many tokens are generated and it doesn't care that they are related to one user. The token is created based on timestamp and will be verified compared to lifetime and timestamp of it.
It means that django rest jwt module, will create a token based on current timestamp of system, whenever user request for it.
Remember you can't delete a jwt token. Because it's not stored in database. So if your token is spoofed, that's it. You can't do anything with it, unless life cycle of the token ends and token expire.
If you want to track these tokens and be able to control them and for example don't create redundant tokens for a user as you asked:
consider changing to another token based authentication that stores token in database so you could track it.
change jwt system to what is suitable for you (I did it before). For example add a lookup id in database and check tokens by that bounded to each user. I know it's not jwt anymore, But you can still use some goodies of it. Like don't hit database on not valid jwt tokens and store some payload in it, if verified don't hit database for that info. Like permissions and ...
I have a question regarding Amazon Cognito.
What I want to achieve is to set default custom attribute for the user record.
Ideally it will be great if I could set it by default in user pool, for example "custom:domain": "some name". But I can't find an example for this, or maybe set it up in Pre sign-up trigger with Lambda, but I didn't find examples for it also. What I did, when user authenticate I get the user attributes and set the required one with updateAttributes (I use amazon-cognito-identity-js). The downside of this approach that I faced, on first user login he gets the tokens first and only after that this custom attribute it set. So in first login this attribute is missed in token. What I want to ask what is the best approach of doing this kind of staff? And if my variant is appropriate, how could I update user token after changing the user attributes, so they appear in that token.
You will get the new attributes in the tokens on token refresh. However, the SDK's do not provide a method to manually refresh the tokens. We will consider this as a feature request for our SDK's.
Tokens are typically valid for an hour and are automatically refreshed by the SDK when they have expired. So your user's would get tokens with new attributes at-least after an hour.
Another option would be to add a Pre token generation trigger that checks to see if the value is set, and if it isn't overrides it. http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#aws-lambda-triggers-pre-token-generation-example-1 It would be set the first time the user gets the token if done this way.
We are integrating on our application the Office 365 functionality throught MSGraph rest api and we are currently getting trouble with the validation of Refresh Tokens, this is the response error code from the server on a invalid petition:
"error":"invalid_grant","error_description":"AADSTS70002: Error
validating credentials. AADSTS70008: The refresh token has expired
due to inactivity.??The token was issued on
2016-04-27T11:44:49.4826901Z and was inactive for 14.00:00:00.
This is annoying because we need the users to aquire their credentials again logging in on Microsoft servers.
Is there any option to avoid Refresh token being invalidated due to inactivity? Or to make longer this expiration?
Refresh tokens have a finite lifetime. If a new token (and refresh token) isn't requested before that time they will expire. Once this happens the user must re-authenticate.
If you need to have perpetual access to the account, you will need to manually refresh the token periodically. You may want to look at this article. It covers the basics of how v2 Endpoint works (and the various token lifetimes).
In most of my implementations I use a queue to handling refreshing tokens. I queue each token to be refreshed at 10 days. If it fails I resubmit to the queue. If it is still failing at day 12 I email the user to inform them there was an issue and they will need to re-authenticate.
UPDATE
Refresh token lifetime was recently changed to until-revoked. You can read about the change here
This is general OAuth (not AAD-specific): obtaining an access token is a 2-step process. The first step is to obtain an auth code which requires the user to authenticate. The second step is to redeem an access token and a refresh token from the auth code. This second step is purely programmatic, i.e. the user need not be present. The app can keep repeating the second step, i.e. redeeming a new access token and a new refresh token from the latest refresh token without the user even know about it.
Your app should schedule frequent 'refreshes' of the refresh token. You can do this at any time while the app is running.
If the user doesn't use the app for an extended period of time, like about 2 weeks (I believe), the refresh token would naturally expire. If you want to avoid that, you'll have to schedule a dedicated job to refresh the token.
Zlatko
At my organization, we're moving towards a modular software architecture.. We're still in the beginning phases, and are currently working on the User Authentication (UA) module.
I'm looking for information on best practices in terms of a User Authentication module.
My current notion is the following:
Client queries UA module with login details
UA module checks login details. If they are valid, the UA module creates & stores access token, associating the token with the validated user's unique ID.
The token is sent back to the client. Client stores the token.
Whenever the client requires authentication, it queries the UA module with the token. The UA module returns the user's unique ID if the token is valid, or returns an error code if the token is invalid.
I would appreciate any criticism on those methods.
I'm also interested in knowing how to deal with the accumulation of tokens. Obviously if a user chooses to log out, the token is removed.
My notion is that tokens should have expiry dates associated with them, and a worker process should clean these tokens up at a regular interval. Is this the right way to go about things?
Please comment! Reference documents are also appreciated.
You can store the token in a DB field along with issue timestamp, with an one-to-one mapping with the client ID. So when you have reissue a token, you overwrite the old one. And when user logs out, null out the token.
When the User sends a request with the token, see if the token is past expiry date (i.e. current time > issue time + expiry time period). This would save you from running a Worker to clean up old tokens.
Is there any way to use the graph api to find out when a page access token, or application token will expire?
Update: There is a new API endpoint to access information about an access token. You can find info here: Debugging Access Tokens and Handling Errors
https://graph.facebook.com/debug_token?input_token=INPUT_TOKEN&access_token=ACCESS_TOKEN
input_token: the Access Token to debug
access_token: your App Access Token or a valid User Access Token from a developer of the app.
--
You should try to make sure that you store each token's expiration time along with the access token when you get it. For a page access token, that means storing the expiration time of the user access token. If you would like to manually discover expiration times for tokens you have today, you should use Facebook's Access Token Debugger tool. However, you should not be relying on expiration times alone -- in practice, many tokens will expire much earlier than their expiration time.
Application access tokens will never expire, unless the application secret key is reset.
Page access tokens last up to 60 days (5184000 seconds), but more importantly, they last as long as the user access token that was used to acquire them. So they will be invalidated as soon as the user that you got them from:
logs out of FB.
changes password.
deauthorizes your application.
Basically, when you lose the user's token, you will lose the page's token. Instead, you should retrieve page access tokens once per user access token. If you throw out a user access token, throw out the page token. You should not be trying to store page access tokens for any significant period of time. Instead you should get them as needed and forget them when a user's session dies.
To get a new page access token:
https://graph.facebook.com/PAGEID?fields=access_token&access_token=USER_ACCESS_TOKEN
Access Token Debugger
https://developers.facebook.com/tools/debug/access_token
Does not use the Graph API... but a very useful tool for manual debugging.
There is now an API version of the debugger tool.
See https://developers.facebook.com/docs/authentication/access-token-debug/
I would like to repeat this question for the current version of the API since I've come to a situation when Facebook doc clearly does not describe what is happening:
no expiry dates when requesting a new long-lived token with fb_exchange_token
no expiry dates when requesting debug_token information (expires_at = 0)
it does reply with an expiration date when redirecting the user to the auth page for the first time, but that does not help as I cannot extract the long-lived expiration date nor it will reply with this information for the second time
The debug tool here: https://developers.facebook.com/tools/debug/accesstoken says "Expires: Never".
Try this, it worked with me. Get the token with your app and paste it in the graph explorer as the token to be used for queries. Click on the info a see the expiration date.
example image
I hope it works for you too.
https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
From the page above:
Access tokens on the web often have a lifetime of about two hours, but
will automatically be refreshed when required. If you want to use
access tokens for longer-lived web apps, especially server side, you
need to generate a long-lived token. A long-lived token generally
lasts about 60 days.