Currently i have used some read and write scope to generate refresh and access token. Now i want to remove write scope.
but after removing write scope and create new refresh token the already created old refresh and access token got expired.
i use Oauth2.0
I have already used linkedin scopes and get new refresh token after done this steps, the old refresh token got expired.
Related
I am trying to implement SvelteKit together with Hasura (GraphQL) and Firebase auth.
I have managed to sign in the user successfully, then store the access token and credentials in an HTTP-only cookie, so that each time the user revisits, they don't have to log in again.
I am not storing the "user" object in that cookie, as that contains sensitive data such as the refresh token that would be dangerous to expose. (Is that correct?)
My problem is that although I have set the expiry date of that cookie to seven days, the access token (rightfully) expires in an hour, and I have no way to refresh it.
Research here showed me I can use user.getIdToken() to refresh the token, but my problem is that I don't have the user object stored anywhere.
Am I missing something? Should I store the user object somewhere so I can refresh the token? Or is there another way to refresh the token?
I need the access token because it needs to be passed in the graphql headers to Hasura (it contains custom claims).
I have looked through the docs and stackoverflow to find alternative ways of refreshing the token, or to find ways to get the user object from an existing token or from any non-compromising information that I could store in my cookie - but found none.
This seems to answer a similar question but I didn't understand the answer: Firebase Auth - how to refresh access token without current user object
I'm updating customClaims via auto trigger cloud function and am not able to access such new customClaims in security rules
I'm working on chat web app. with sending friend request feature and I want to limit the number of friends for each user so I use cloud function auto trigger when new document (conversation that define new friendship) get created then increase friendsNumber customclaims for been able to control the permission of limited friends, so each time user add friends friendsNumber get increase by 1, but in security rules I always got request.auth.token.friendsNumber == 0.
I know that the request was sent by old token and by forcerefresh I could get a new one. But that want works with me because I update friendsNumber customClaims via auto trigger cloud function.
Is there any methods to get latest token or a way to access such new customClaims?
According to the documentation:
After new claims are modified on a user via the Admin SDK, they are
propagated to an authenticated user on the client side via the ID
token in the following ways:
A user signs in or re-authenticates after the custom claims are modified. The ID token issued as a result will contain the latest
claims.
An existing user session gets its ID token refreshed after an older token expires.
An ID token is force refreshed by calling currentUser.getIdToken(true).
You will need to either force a refresh of the token, or wait out the period of time when the client app refreshes the token for itself. Until then, any changes to the claims will not be visible in the client or in security rules.
When I refresh an OAuth access token A, I get an new access token B. But A is still valid, I can still use it.
Shouldn't the old access token be invalidated by the refresh operation? If not, if it's "by design", could someone give me details about why?
Note: using Symfony with the FOSOAuthServerBundle bundle.
The RFC6749 section 1.5 indicates that:
Refresh tokens are issued to the client by the authorization server and are
used to obtain [...] additional access tokens
with identical or narrower scope
As far as I understand, the access token A may be still valid when an access token B is issued with the refreh token.
I'm using Google Sign-In. A user comes to my site and logs in with gapi.auth2.getAuthInstance().signIn(), or they are already logged in and when the page loads (or reloads) we fetch the status. At this point I have an identity token good for an hour that I can validate on the server.
When a user leaves the browser sitting (say, overnight), this token expires. gapi.auth2.getAuthInstance().isSignedIn.get() returns true, but the token does not validate.
How can I log in a user and keep them logged in while their session is active (ie, browser hasn't been closed)? Or refresh the token? Anything more graceful than reloading the page...
Edit: The refresh token is not a correct answer; I don't want offline access (and don't want to ask for the permission). Google obviously thinks the user is still signed into my application; the user can reload the page and get a new token without providing credentials again. Surely there is some mechanism more graceful than a hidden iframe to get an updated token?
If the token is expired, you can call gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse(). It returns a Promise.
I've raised an issue with Google over this because it's simply ridiculous they haven't documented this properly.
My comment here advises how I've accomplished refresh using the above.
FWIW, we've managed to (mostly) make it work via a listener approach. It appears that 'userChanged' callback is invoked ~5 minutes before the access token expires. That's enough for us to extract and update the access token without refreshing the page.
What does not quite work though is when computer comes back from sleep. This can be solved relatively easy by reloading the page on wake up.
You can accomplish this with listeners.
var auth2 = gapi.auth2.getAuthInstance();
// Listen for changes to current user.
// (called shortly before expiration)
auth2.currentUser.listen(function(user){
// use new user in your OpenID Connect flow
});
This will allow you to keep current credentials, as long as the browser remains active.
If the computer is put to sleep additional work must done to get current credentials.
if (auth2.isSignedIn.get() == true) {
auth2.signIn();
}
You can use Refresh Token to get offline access. As per the official reference
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Basically you will get the refresh token the first time you ask for authentication. You need to save that token securely for future use. The access token (you mentioned as identity token) expires after an hour. After that you have to use the refresh token each time you want to get a new usable access token.
Depending on the client library you are using the syntax will differ. following is a sample for php client library.
// get access token from refresh token if access token expire
if($client->getAuth()->isAccessTokenExpired()) {
$client->refreshToken($securelyPreservedRefreshToken);
$newToken = $client->getAccessToken();
}
check this for details steps.
I'm doing oauth in echo sign and have come across following steps.
App makes a get request to echosign along with the return url.
ex: https://secure.echosign.com/public/oauth?redirect_uri=https://example.com/oauthDemo&
response_type=code&client_id=d4HQNPFIXFD255H&scope=user_login:self+agreement_send:account
Echosign, asks the user to login to echosign and on success it appends code to the return url and sends back.
Taking the code from the return url, another post call is made to get the access token using which , api calls can be further made.
POST call to /oauth/token
On this success, token-access has been generated successfully.
The things here is, how can i bypass the step where user will not have to login to echosign. Is there other easier way to get the access-token, seems like, code needs to be generated each time to get a new access-token.
I'm working on meteor, angularjs. Also i couldnt find any working examples on js, is there any ?
Please correct any of my steps.
I couldn't find a way to bypass the user to login but this needs to be done only once.
At this step you get the access token, refresh token and expiry time in seconds.
Check if your access token has expired and if so then use your refresh token to get a new access token. You can use the refresh token indefinitely until the EchoSign user manually revokes your application's token.
User your access token to make API calls.
PS: I don't know any working examples in JS.