I'm integrating Linkedin to my app, but a refresh token is not returned. The access token endpoint (https://www.linkedin.com/oauth/v2/accessToken) just returns an access token and a TTL. Is there a way to refresh this token within 60 days, so the users don't have to reauthorize again?
This is a sample response returned:
{
"access_token": "XXXX",
"expires_in": 5183999,
"scope": "r_emailaddress,r_liteprofile,w_member_social"
}
On authorization, the users authorize these scopes: r_emailaddress, r_liteprofile, w_member_social and the products selected for the app are Sign In with LinkedIn, Share on LinkedIn.
Per the docs, you must be an approved Marketing Developer Platform partner.
Related
We are using the Google Calendar API. When attempting to revoke the access token (we've also tried the refresh token just in case) for the account, we get the following 400 response:
b'{\n "error": "invalid_token",\n "error_description": "Token expired or revoked"\n}'
We also tried the following endpoints:
accounts.google.com/o/oauth2/revoke
oauth2.googleapis.com/revoke
We want to invalidate the token and remove ourselves from the user's "Third-party apps with account access" list. However, it should be noted that the tokens are perfectly valid, so the response from Google is confusing. We have scoured the documentation and every forum we could find and still could not solve this issue.
revoke access is preformed using an access token and not a refresh token. Use the refresh token to request a new access token. Then use that to revoke the users consent.
Does the Smart Device Management API support access using a Service Account? If so what's the magic combo?
I can access the API using registered OAuth2, and get valid device list response.
When using Service Account credentials to access the device list API I get:
{
"error": {
"code": 404,
"message": "Enterprise enterprises/{project-id} not found.",
"status": "NOT_FOUND"
}
}
I think the problem is that google have chosen to cut off the "home project" user. They seem to only support oauth2 auth and if you want to use it you have to get your app certified, otherwise they revoke the refresh token after 7 days. If the refresh token didn't get revoked every 7 days then I'd be happy with oauth2 offline auth. Come on google, support the home hobbyists!
I am using my spreadsheet as an admin interface for my Firebase app, where I can authorize some user transactions on the app. The spreadsheet leverages Google apps script and cloud functions
I am able to send data back and forth on the spreadsheet and my backend and now, the next thing is to lock down access to the cloud functions HTTP URL to authorized users with admin attribute in custom claims set to true.
To do this, am hoping to send the user's OAuth token gotten from Google Apps Script API (ScriptApp.getOAuthToken()) as part of the request payload and use firebase rest API method https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=[API_KEY] to get the user's id token and other credentials in other to verify and authorise the admin user and the transaction.
const credentials = {
postBody: `id_token=${token}&providerId=google.com`,
requestUri: oAuthCredentials.web.redirect_uris[0],
returnIdpCredential: false,
returnSecureToken: true
}
APIRequest(IdentityUrls.signInWithOAuth, {
headers: {
'Content-Type': "application/json"
},
method: 'POST',
body: JSON.stringify(credentials)
}, (error, res) => {
...// perform actions here
})
The problem is that I keep getting INVALID_IDP_RESPONSE: The supplied auth credential is malformed or has expired. I am not sure why it's so and would appreciate help
I finally figured it out. What I am doing now is send the OAuth token as described in the question to the backend and make a POST request to token info endpoint with a payload of access_token: OAuth token. This returns a response with user email, email_verified, expiry_date etc. Then using this user email, I can get the userRecord on the Firebase Admin SDK which exposes a customClaims attribute. Read more about the solution here
I'm trying to implement the Authorization Code Flow to link actions on google with my firebase users:
https://developers.google.com/actions/identity/oauth2-code-flow
So far I've understood the flow as follows:
1 - User access the application and is redirected to the authorization url endpoint
2 - User signs in and google receives an authorization token
3 - Google sends this authorization token to the token url endpoint and gets an access token a refresh_token and a expiration time
4 - Google sends the refresh token to get a new access token when the access token is going to expire and gets a new acess token and a new expiration time
Did I get everything right?
As authorization token and access token I'm using the custom tokens from Firebase. My question is, how can I implement the refresh token? I cannot get this token from the Firebase Node.js SDK server side.
How can I greate long-lived tokens with Firebase Node.js SDK?
Is there another approach?
Yes, you got the OAuth2 process right.
The Firebase Admin SDK lets you sign the user in to your Firebase service using generated custom tokens. Though the custom token expires within 1 hour, once user is signed-in, they should be authenticated indefinitely (i.e. until user signs out). As such, there is really no need for SDK to generate refresh token.
I'd suggest a different approach. Use Actions on Google's SignIn helper intent to get user's info, such as email, name etc. Using this info, you will be able to sign the user in to Firebase as follows (referenced from the "Create Custom Token" Firebase doc):
var uid = "some-uid";
admin.auth().createCustomToken(uid)
// token == custom token
.then(function(token) {
firebase.auth().signInWithCustomToken(token).catch(function(error)
{
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
// ...
});
})
.catch(function(error) {
console.log("Error creating custom token:", error);
});
References:
"How to use refresh token?" from Firebase's GitHub
"Create custom tokens" from Firebase's docs
"Request Signin helper" from Actions on Google docs
I'm a newbie so any help appreciated.
I've created an app/service using Google App Engine (node) that returns a simple 'hello world' response, see https://resumetemplatesconverter.appspot.com/
I've also got a Polymer web app that uses Firebase Authentication for sign up, sign in, sign out, etc.
Question is, what is the best way to configure the Google App Engine app/service so that only users authenticated with the Polymer web app can use it?
Thanks.
Firebase (Authorization Server) sends a token (Access Token) back to the client (browser).
The client now makes a request to your app engine service (Resource Server) with that token.
What you need to do is to check if the token is valid and if it is valid, return that secret data.
The OAuth 2.0 spec doesn't clearly define the interaction between a Resource Server and Authorization Server for access token validation:
Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.
So for each authentication service (Google, Facebook, GitHub, etc.) you use, you have to look up how to validate the Access Token.
Example:
Google
Request (from your app engine backend)
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
Response
{
// These six fields are included in all Google ID Tokens.
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"iat": "1433978353",
"exp": "1433981953",
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
You can make this plain request from your backend server but it would be better using one of the Google API Client Libraries
See here for more info regarding Authenticate with a backend server