I have some question:
How to refresh device token with only refresh token in device agent?
How to find device token when token changed by device (use refresh token)?
And can I use one token for many device?
Hope you are using IOT Server alpha pack.
(1) How to refresh device token with only refresh token in device agent?
For the virtual Fire alarm application in the Alpha pack we used only the access token. To use the refresh token in Alpha pack you have to use below standard process as it is not implemented yet.
Go to api-store using https://:9443/api-store/
Go to 'My Subscriptions' and get the consumerkey and secret key of virtual firealaram application
Get the refresh token from the properties file (deviceConfig.properties)
Call the token endpoint using the curl to refresh it
ex: curl -k -d "grant_type=refresh_token&refresh_token=&scope=device_type_virtual_firealarm device_vf3ouabim2xu" -H "Authorization: Basic " -H "Content-Type: application/x-www-form-urlencoded" http://localhost:9763/oauth2/token
Update the config properties file with the new token
This will be fixed in the next release version. Pull request can be found in https://github.com/wso2/carbon-device-mgt-plugins/pull/297
(2) How to find device token when token changed by device (use refresh token)?
When the device token changed by the refresh token, latest device token will get updated in the deviceConfig.properties file.
(3) And can I use one token for many device?
Yes, You can use one token for multiple devices in the Alpha pack. However this is not the correct approach, therefore we will be restricting to use only one token per device from the Beta release onwards
Related
I am migrating old API manager to 4.1 (with one Gateway-worker and one Control-plane) and I want to reuse existing access token and set it in database.
In the old version, an API has an access token with infinite lifetime. This token is deployed in mobile apps, and it is not acceptable to regenerate a new token and redeploy the mobile app.
Actually, I have created the API in the new version (4.1). I'm using opaque token, and I can request this API with the opaque token. I just want to use my old access token instead.
I've tried to set this token in database :
UPDATE "IDN_OAUTH2_ACCESS_TOKEN" SET ACCESS_TOKEN = '64a84d453e9259d2104210035d8436f4',
ACCESS_TOKEN_HASH = '{"hash":"4cf7cd7f4ddc89b9900554bcf8e3ca71c605c59b278b3996a330f1fd4a3ff372","algorithm":"SHA-256"}'
WHERE ROWID = 'xxx'
Then I've restarted the gateway for clearing token cache.
I have tested options for disabling token cache : (just for testing)
[apim.cache.gateway_token]
enable = false
[apim.cache.km_token]
enable = false
[apim.cache.restapi_token]
enable = false
When I request a token, my old token is correctly returned by the key manager :
curl -k -X POST https://my-keymanager.dev/oauth2/token -d "grant_type=client_credentials" -H"Authorization: Basic XXXXX"
{"access_token":"64a84d453e9259d2104210035d8436f4","scope":"default","token_type":"Bearer","expires_in":xxx}
But when I try to call the API with this token,
curl -k -X GET "https://my-gateway.dev/test-api/32155" -H "accept: application/json" -H "Authorization: Bearer 64a84d453e9259d2104210035d8436f4"
I have always this error :
{"code":"900901","message":"Invalid Credentials","description":"Access failure for API:
/my-Api/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials.
Make sure you have provided the correct security credentials"}
DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failed with error 900901 org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /eQuilibre/v2.0.0, version: v2.0.0 status: (900901) - Invalid Credentials
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:536)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353)
at org.apache.synapse.api.API.process(API.java:403)
I think there is another step because the gateway don't call the key manager when I call the API.
How can I tell the Gateway to accept the new token ?
EDIT 1 :
I'm using Opaque token in API Manager 4.1 :
How to create an application that generate Opaque token in WSO2 APIM Manager 4.x versions
EDIT 2 :
I'm migrating from 2.6, but it should be the same problem with another version with opaque token. The only think I want to migrate is the value of the token.
Actually, I have created the API in the new version (4.1). I'm using
opaque token, and I can request this API with the opaque token. I just
want to use my old access token instead.
First of all, we no longer support Opaque tokens out-of-the-box in our latest product versions.
I am migrating old API manager to 4.1 (with one Gateway-worker and one
Control-plane) and I want to reuse existing access token and set it in
database.
From which version of API Manager are you trying to migrate? The source version is not mentioned. If the source deployment also has JWT tokens, you can migrate existing tokens into the new deployment by migrating your database using our migration scripts.
Based on the error message, I belive you are trying to invoke the new API with the old Opaque access token, whereas the new API Manager 4.1 uses the JWT token by default.
Contact WSO2 Support via [1] for any further support.
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/upgrading-wso2-api-manager/upgrading-api-manager/
Yes, if you follow our standard migration scripts, you can migrate existing opaque tokens (that's what is used by APIM v2.6) as it is and your existing applications will continue to function as usual. Only the new applications will use JWT tokens.
After googling we came to know that invalid_grant which means refresh token is invalid.
Link to google oauth doc
We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.
More Info
We have access to read, write spreadsheet and send gmail
We fetch an access token for each request
Any help would be appreciated.
We're already in production and verified by google
Without seeing the full error message that being
Invalid_grant {Message here}
It is hard to help but from my experience is most often caused by one of the following.
Refresh token expire, app not in production.
There are serval reasons why a refresh token can expire the most common one currently is as follows.
A Google Cloud Platform project with an OAuth consent screen configured for an
external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.
invalid_grant: Invalid JWT
{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
invalid_grant: Code was already redeemed
Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.
Invalid_grant: bad request
Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.
Always store most recent refresh token.
Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.
User revoked access
If the user revoked your access in their google account, your refresh token will no longer work.
user changed password with gmail scope.
If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.
Links
Oauth2 Rfc docs for invalid_grant error rfc6749
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
I am using IS_BASE_URL/oauth2/token end point to get JWT token.
but it return only access-token. Is there any work around to get JWT token
for grant_type client_credentials and set configurable expire time of JWT_token base on client and secret key credential (service provider base)?.
In later IS versions (IS-5.4.0 onwards) we have a configuration in the file identity.xml file as below.
<SupportedGrantType>
<GrantTypeName>client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
<IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>
Here you have to mention IdTokenAllowed as true. Then you will get id token along with the access token for client_credential grant type.
At the moment we don't have a way to configure id token or JWT token expiry time per application instead only global configuration is there. You could set id token expiry time globally in identity.xml file inside the tag IDTokenExpiration (identity.xml file by default contains the tag IDTokenExpiration)
<IDTokenExpiration>3600</IDTokenExpiration>
Update:- From the latest identity server (IS-5.6.0) onwards you could configure id token expiry time per application. You could refer https://docs.wso2.com/display/IS560/Configuring+OAuth2-OpenID+Connect+Single-Sign-On for more information.
You need provide the scope as openid.
Sample curl request is as follows.
curl -k -d "grant_type=client_credentials&scope=openid"
-H "Authorization: Basic ZjdJbk9mQ2dxRUZyckVna1hQa2dFU1BwUDk0YTpJZkhSZ0dsOHVzOXI4TlkybkxPN0tiQXQxQTRh"
TOKEN_ENDPOINT
We provide the time validity to apptoken in "exp" claim.
Now once the token gets expired the Iframe shows message "Content is not avaible".
My question is how to programmatically detect if the token has expired?, so that i can generate a new apptoken.
When listening to errors, as in: https://github.com/Microsoft/PowerBI-JavaScript/wiki/Handling-Events#full-list-of-events-and-their-response-values
you can subscribe to report.on('error', ...) and access the message propery in the error object to detect token expiration.
Once detected, you can use the JS SDK to apply a new token without having to reload the embedded report
https://github.com/Microsoft/PowerBI-JavaScript/wiki/Update-Embed-Token
of course, by using 'exp' in your JWT token, you can always set a timer to refresh the token
I want to develop a Django application to send message thr google c2dm server to andriod device.it uses OAuth2 to authorization.
first i got the credentials and store it in the storage as storage and then i want to get the credentials from
storage and send this credentials together other params and headers to c2dm api.
i could get the credentials for scope https://android.apis.google.com/c2dm and store it in storage.
please some one guide me,how can i make the request with credentials and send to https://android.clients.google.com/c2dm/send to deliver.
Thanks in advance,
I suppose you've been able to perform step 2 Exchange authorization code for tokens on Google OAuth 2.0 Playground. Then you should have acquired a refresh token and an access token (if you didn't receive a refresh token, verify that you have checked Force approval prompt and selected offline for Access type in the OAuth 2.0 Configuration.
The access token will expire after some time (usually 1 hour), but the refresh token does not. The refresh token (together with the OAuth Client ID and the OAuth Client secret) can be used to obtain a new access token:
curl --data-urlencode "client_id=OAuthClientID"
--data-urlencode "client_secret=OAuthClientSecret"
--data-urlencode "refresh_token=RefreshToken"
-d "grant_type=refresh_token" "https://accounts.google.com/o/oauth2/token"
(Replace OAuthClientID, OAuthClientSecret, RefreshToken). For futher reading refer to: Using OAuth 2.0 for Web Server Applications - Offline Access
Now you can use this access token and the registration ID of the device to send messages to that device using C2DM:
curl -k -H "Authorization: Bearer AccessToken"
--data-urlencode "registration_id=RegistrationID"
--data-urlencode "collapse_key=0"
--data-urlencode "data.message=YourMessage"
"https://android.apis.google.com/c2dm/send"
(Replace AccessToken, RegistrationID and YourMessage)