I'm using the php-jwt package for my Restful API to authneticate users.
I am successfully authenticating Users and returning a token. However it seems that there is not a standard method to issue a refresh token. Although I understand the principle and the flow I'm not sure if there is a standard for the issuing of the refresh token?
If I unerstand correctly the flow is as follows:
App requests access
API checks for a valid User and issues a token which is to include a refresh token
refresh token is sent along with a request to renew, it is verified and if valid another token is issued?
But my question is how to issue the initial refesh token. Is this simply encoded in the token itself along with other data that I return such as username and email for example?
Thanks in advance. A.
I'm currently doing a bit of research of my own on JWTs. I believe you can give the client 2 tokens after auth: an access token and a refresh token. The refresh token can also be a JWT itself. What goes in it is up to you but I think what's important is that it is a valid/not expired token when used. If you can successfully validate it, then you can issue a new access token.
Related
I created "test-App" application in API Manager WSO2 with the grant types of "refresh-token" "SAML2", "PASSWORD" "Client Credentials" and "JWT"
I also Created a "test"
To use the webservices behind API manager, First, I should call https://localhost:9443/oauth2/token) to get a access-token
Unfortunately, if I call the link again, instead of receiving the same access-token, the system will generate a new access-token and the previous access-token would be expired. ( I think this link is more like refresh token rather than get the access token).
So, How can I Separate getting available access-token and Refresh-token link in WSO2 API Manager ?
In the latest versions of API Manager you have JWT tokens. When you request a new token it always generates a new token. But it doesn’t revoke the previous access token.
In the earlier versions of APIM, opaque tokens were supported and it has a different behavior. When you request a token, if it is not expired you get the same token.
Please read more about refresh grant here https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/refresh-token-grant/
If you have not done any other configuration changes, invoking https://localhost:9443/oauth2/token URL will always generate a new JWT token without expiring the earlier one. However, the token validity can be changed in the Dev Portal while generating the access token.
After googling we came to know that invalid_grant which means refresh token is invalid.
Link to google oauth doc
We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.
More Info
We have access to read, write spreadsheet and send gmail
We fetch an access token for each request
Any help would be appreciated.
We're already in production and verified by google
Without seeing the full error message that being
Invalid_grant {Message here}
It is hard to help but from my experience is most often caused by one of the following.
Refresh token expire, app not in production.
There are serval reasons why a refresh token can expire the most common one currently is as follows.
A Google Cloud Platform project with an OAuth consent screen configured for an
external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.
invalid_grant: Invalid JWT
{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
invalid_grant: Code was already redeemed
Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.
Invalid_grant: bad request
Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.
Always store most recent refresh token.
Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.
User revoked access
If the user revoked your access in their google account, your refresh token will no longer work.
user changed password with gmail scope.
If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.
Links
Oauth2 Rfc docs for invalid_grant error rfc6749
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
I am using DjangoRest Framework simple-jwt package found at https://github.com/davesque/django-rest-framework-simplejwt.
this provides two api endpoints to get access token and refresh token. Currently I store the access token in localStorage in browser. Is this the best place to store it, or would sessionStorage be better?
When I need a new access token because the current access token expired, should I pass the refresh token (stored in localStorage) in a POST request? Is this the best implementation? It seems insecure to have this crucial refresh token string stored in the browser.
That works and yes, you would pass the refresh token. Since you're using it for a web app I suggest you make your access token and refresh tokens expire rather quickly this way it's always generating a new one.
The Twitter OAuth 1.0a flow requires authenticated request token to be exchanged with access token at consumer or client side after user has authenticated.
The problem that I'm facing is that generating access token needs authenticated request token, request token secret and verifier but the response from the oauth/authentication api doesn't have request token secret. So how do I temporarily save request token secret from oauth/request_token api call so that I can use it in oauth/access_token api call.
I found some solutions from my explorations like Running a Cache server (Memcached, Redis) or using django session feature. But they all seem to be overkill for this task.
I hope to find a simpler solution.
I'm sure you long ago figured this out, but just for future goolers: I decided to a go a more low tech route and create an OAuth token class which includes fields for the fetched and access token. Basically I take the fetched token, store it, then recall it when accessing (as it's in a different view) and then save the access token. Once (if) that's successful than I delete the fetched token.
There's likely a more glamorous way to do this, but if you're clever with your naming convention you can easily keep them straight (i.e. add a CharField for provider and just save the fetched token as twitter_fetched, and the access token as just twitter).
This has the added benefit of allowing you to create an OAuth1 or OAuth1Session from the stored access token.
When we do oauth2 on google api, we get an access token and a refresh token. Suppose I'm writing a service and I want to periodically poll for changes I can just use refresh token to get fresh access tokens every time the current access token gets invalidated. This is called offline access.
Is there any way to do the same in facebook? Is there an offline access version similar to that of google api.
Thanks.
For offline access, you need to exchange your short-lived access token for a new access token, before it expires. Facebook has a single type of access token (no refresh tokens). A about-to-expire access token should fetch you a new access token.
To manually extend the tokens using a Graph API endpoint ::
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Quoting FB's documentation from here ::
Apps are unable to exchange an expired short-lived token for a
long-lived token. The flow above only works with short-lived tokens
that are still valid. Once they expire, your app must send the user
through the login flow again.
Do read the Expiration and Extending Tokens portion of the documentation link that I have mentioned for further clarification.
You can check the validity of your token from here , according to my token it expires never