I am generating Power BI embedded token in my application to populate PBI reports. The life time of the embeded token is 30 minutes. I am refreshing the token 5 minutes before the token expires.
However, is it possible to revoke the previous token which would still be active for remaining 5 minutes as this is a security concern?
Thanks in advance!!
Related
I have a social media platform and I'm using cognito for auth. When I delete users, they are not logged out, how can i deactivate tokens
The token validity is 1 day. I waited for 1 day but it didn't log out.
I may be wrong, but it sounds like you don't clearly understand what is JWT and how it works.
Here are two types of JWT tokens: access token and refresh token.
access token can't be invalidated for single user until it expires. It is using for user authentication. In other way refresh token is using for new access tokens creation. By default, expiring time of refresh token is 30 days. So, user able generate new access token even if it expired until refresh token is valid.
You have to revoke refresh token when deleting user. Also expiring time of access token should be pretty short (e.g., 30 minutes). In this case user will be able login only 30 minutes at max after refresh token revocation.
Here is no info in your question about token revocation and which of tokens valid until 1 day, so I hope this info will help you figure out how it works.
I'm using React Native and Expo. Also using aws-amplify to manage users with Cognito's user pool.
Every so often my users are getting kicked out of the system because of "Refresh Token has expired" error. Those users were in the system in the previous week so their refresh token should still be valid. Any ideas?
I'm using:
aws-amplify 2.2.0
aws-amplify-react-native 2.2.3
react-native 0.59
expo 35
I think this is a misunderstanding of the docs. I was under the impression that the refresh token is being re-issued on every session, thus users should never get to the expiration time while they are active.
Apparently this is not the case, as users are issued a refresh token upon login only and that token is being persistent on the client side storage. No matter if they are active or not, this token is expired after 30 days (or else configured) and then need to re-login again.
(of course I'm aware that this is not an Amplify implementation)
I'm working on some sensitive web application, and I would like to disconnect users after 5mn of inactivity.
I'm stuck with the 1 day minimum refresh token timeout (set on cognito management console)...
How can I bypass this ? Or set the refresh token timeout < 1 day ?
I'm using the aws-amplify module
I've seen a lot of similar questions and it seems there is no way to do it properly...
Thanks in advance
Currently I am getting Power BI Report from Power BI services with access token and embedding this report into IFrame using Azure AIDL Authentication.
Using this Java Library I am getting an JWT access token and fetching into my Power Bi report.
Below are the problems with this approach:
1) Access token has a short validity of 60 mins. and after that I fetch new access token using refresh token.
2) But the refresh token itself has a validity of 14 days and after that I need to manually log in and update the refresh token manually.
I want to avoid manual log in and wondering if there is any way to make this automatic.
Any suggestions would be appreciated.
We are integrating on our application the Office 365 functionality throught MSGraph rest api and we are currently getting trouble with the validation of Refresh Tokens, this is the response error code from the server on a invalid petition:
"error":"invalid_grant","error_description":"AADSTS70002: Error
validating credentials. AADSTS70008: The refresh token has expired
due to inactivity.??The token was issued on
2016-04-27T11:44:49.4826901Z and was inactive for 14.00:00:00.
This is annoying because we need the users to aquire their credentials again logging in on Microsoft servers.
Is there any option to avoid Refresh token being invalidated due to inactivity? Or to make longer this expiration?
Refresh tokens have a finite lifetime. If a new token (and refresh token) isn't requested before that time they will expire. Once this happens the user must re-authenticate.
If you need to have perpetual access to the account, you will need to manually refresh the token periodically. You may want to look at this article. It covers the basics of how v2 Endpoint works (and the various token lifetimes).
In most of my implementations I use a queue to handling refreshing tokens. I queue each token to be refreshed at 10 days. If it fails I resubmit to the queue. If it is still failing at day 12 I email the user to inform them there was an issue and they will need to re-authenticate.
UPDATE
Refresh token lifetime was recently changed to until-revoked. You can read about the change here
This is general OAuth (not AAD-specific): obtaining an access token is a 2-step process. The first step is to obtain an auth code which requires the user to authenticate. The second step is to redeem an access token and a refresh token from the auth code. This second step is purely programmatic, i.e. the user need not be present. The app can keep repeating the second step, i.e. redeeming a new access token and a new refresh token from the latest refresh token without the user even know about it.
Your app should schedule frequent 'refreshes' of the refresh token. You can do this at any time while the app is running.
If the user doesn't use the app for an extended period of time, like about 2 weeks (I believe), the refresh token would naturally expire. If you want to avoid that, you'll have to schedule a dedicated job to refresh the token.
Zlatko