I have a social media platform and I'm using cognito for auth. When I delete users, they are not logged out, how can i deactivate tokens
The token validity is 1 day. I waited for 1 day but it didn't log out.
I may be wrong, but it sounds like you don't clearly understand what is JWT and how it works.
Here are two types of JWT tokens: access token and refresh token.
access token can't be invalidated for single user until it expires. It is using for user authentication. In other way refresh token is using for new access tokens creation. By default, expiring time of refresh token is 30 days. So, user able generate new access token even if it expired until refresh token is valid.
You have to revoke refresh token when deleting user. Also expiring time of access token should be pretty short (e.g., 30 minutes). In this case user will be able login only 30 minutes at max after refresh token revocation.
Here is no info in your question about token revocation and which of tokens valid until 1 day, so I hope this info will help you figure out how it works.
Related
After googling we came to know that invalid_grant which means refresh token is invalid.
Link to google oauth doc
We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.
More Info
We have access to read, write spreadsheet and send gmail
We fetch an access token for each request
Any help would be appreciated.
We're already in production and verified by google
Without seeing the full error message that being
Invalid_grant {Message here}
It is hard to help but from my experience is most often caused by one of the following.
Refresh token expire, app not in production.
There are serval reasons why a refresh token can expire the most common one currently is as follows.
A Google Cloud Platform project with an OAuth consent screen configured for an
external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.
invalid_grant: Invalid JWT
{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
invalid_grant: Code was already redeemed
Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.
Invalid_grant: bad request
Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.
Always store most recent refresh token.
Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.
User revoked access
If the user revoked your access in their google account, your refresh token will no longer work.
user changed password with gmail scope.
If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.
Links
Oauth2 Rfc docs for invalid_grant error rfc6749
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Does the CloudFoundry UAA support token refresh for logged in user.
I'm currently logged in using the "cf-cli" via the SSO passcode. After a week or so the session expires and I have to log in again.
Is it possible to refresh the token in the $HOME/.cf/config.json upon expiry ?
As per this https://www.rfc-editor.org/rfc/rfc6749#section-6 , we should be able to refresh the token by passing
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA options.
However, it expects the client_id or client_secret to be present i.e use BASIC Auth.
Can we do with a currently logged in user ?
You can refresh an access token, but you cannot refresh a refresh token. When your refresh token expires, you must login again.
The refresh_token from config.json is a JWT token, so you can use a tool like https://jwt.io to view the token and see when it expires. Your refresh token will expire at some point, it just depends on how long your administrator allows it to last. A week sounds pretty standard.
Hope that helps!
I am using django rest frameworks JWT library
http://getblimp.github.io/django-rest-framework-jwt/
There are two settings on JWT token expiration
JWT_EXPIRATION_DELTA which is in seconds
The docs on it:
You can turn off expiration time verification by setting JWT_VERIFY_EXPIRATION to False. Without expiration verification, JWTs will last forever meaning a leaked token could be used by an attacker indefinitely.
This is an instance of Python's datetime.timedelta. This will be added to datetime.utcnow() to set the expiration time.
Default is datetime.timedelta(seconds=300)(5 minutes).
and JWT_REFRESH_EXPIRATION_DELTA
Docs:
mit on token refresh, is a datetime.timedelta instance. This is how much time after the original token that future tokens can be refreshed from.
Default is datetime.timedelta(days=7) (7 days).
Im not sure on the different use cases. I set the jwt token expiration delta to 20 seconds.
Then got a token saved it to local waited 20 seconds closed my browser window and re navigated to the site
expecting to not be logged in because the token would of expired but I was logged in.
So then what is the difference between JWT token expiration delta
and JWT Refresh Expiration Delta?
JWT_EXPIRATION_DELTA is the actual time till your JWT token will work. After the time mention in JWT_EXPIRATION_DELTA, whenever you will use this token to access a secure endpoint(that has JWT Auth enabled), it will return a error with message that Your JWT Token has been expired. So you need to keep refreshing JWT Token before it get expired. According to documentation:
Refresh with tokens can be repeated (token1 -> token2 -> token3), but this chain of token stores the time that the original token (obtained with username/password credentials), as orig_iat. You can only keep refreshing tokens up to JWT_REFRESH_EXPIRATION_DELTA
It means that no matter how many times you refresh your tokens, it will always keep the record of the original time when your 1st token was generated(First Time you logged in your user). So if JWT_REFRESH_EXPIRATION_DELTA is set to 1 day, you can't keep refreshing your JWT token after 1 day from when your original token was generated (means your 1st token generated time).
Don't know what mechanism you are using to check in the frontend if the user is authenticated or not. But if you use to check it on the backend (DRF-JWT provides some ready endpoints to verify and refresh tokens), you will find it will not work.
We are integrating on our application the Office 365 functionality throught MSGraph rest api and we are currently getting trouble with the validation of Refresh Tokens, this is the response error code from the server on a invalid petition:
"error":"invalid_grant","error_description":"AADSTS70002: Error
validating credentials. AADSTS70008: The refresh token has expired
due to inactivity.??The token was issued on
2016-04-27T11:44:49.4826901Z and was inactive for 14.00:00:00.
This is annoying because we need the users to aquire their credentials again logging in on Microsoft servers.
Is there any option to avoid Refresh token being invalidated due to inactivity? Or to make longer this expiration?
Refresh tokens have a finite lifetime. If a new token (and refresh token) isn't requested before that time they will expire. Once this happens the user must re-authenticate.
If you need to have perpetual access to the account, you will need to manually refresh the token periodically. You may want to look at this article. It covers the basics of how v2 Endpoint works (and the various token lifetimes).
In most of my implementations I use a queue to handling refreshing tokens. I queue each token to be refreshed at 10 days. If it fails I resubmit to the queue. If it is still failing at day 12 I email the user to inform them there was an issue and they will need to re-authenticate.
UPDATE
Refresh token lifetime was recently changed to until-revoked. You can read about the change here
This is general OAuth (not AAD-specific): obtaining an access token is a 2-step process. The first step is to obtain an auth code which requires the user to authenticate. The second step is to redeem an access token and a refresh token from the auth code. This second step is purely programmatic, i.e. the user need not be present. The app can keep repeating the second step, i.e. redeeming a new access token and a new refresh token from the latest refresh token without the user even know about it.
Your app should schedule frequent 'refreshes' of the refresh token. You can do this at any time while the app is running.
If the user doesn't use the app for an extended period of time, like about 2 weeks (I believe), the refresh token would naturally expire. If you want to avoid that, you'll have to schedule a dedicated job to refresh the token.
Zlatko
I have converted my short-lived access-token into extended token i.e for 60 days. The token has permissions for publish_stream and publish_actions.
Can i use the graph API to post something on a facebook page without logging into facebook ? I only have extended token with me.
Yes, you can use the access_token to make Graph API calls until the token expires.
An user access token becomes invalid after
2 hrs (if generated through client-side flow)
2 months (if generated through server-side flow)
Password change
De-authorization of app
Till it's valid, you can use it without asking the user to log in