I use Scrypted to allow viewing Nest cameras in HomeKit. When I go through the process of giving Scrypted permission to access my camera information, that token seems to expire after a week (approximately). I haven't seen any setting anywhere that allows me to change this. Is there some hidden option somewhere that can allow this permission to not expire.
I finally found the expiration page - but I don't see how to remove the 7 day limit. It offers to raise the daily token limit, but not to remove expiration.
Per https://developers.google.com/identity/protocols/oauth2#expiration this is because your oauth client id is unverified. You'll need to go through the oauth client verification process to get longer lived tokens.
Related
Note: I'm on the Blaze Plan
I have a firebase auth user that just set up a paid account, and they're receiving a RESET_PASSWORD_EXCEED_LIMIT yet my other paid accounts aren't. How do I reset this user's password? I'm not sure what the individual reset limit is, I couldn't find it in the docs.
I have 110 users which I've gained over 48 hours
Failed Solution: I re-created the account, but the new account, even though it was able to generate email password resets, it actually was a link that didn't work, leading me to believe it's a bug. The user had to create a new account with a new email.
From Firebase Support
An OOB link is the link generated for the reset password email, it
contains an oobcode which is a one-time code, used to identify and
verify a request. Saying this, each user is permitted to use a certain
amount of links, then if he exceeds the internal quota, the error
message “RESET_PASSWORD_EXCEED_LIMIT” will appear.
To reset the quota, you just need to click the link and reset the
password, this workaround is not good for a real user, but if you are
testing it can help you to reset the quota. The real workaround for a
real user would be to wait for a period of time until the OOB links
naturally expire.
To avoid hitting this quota, I recommend you to add a validation in
your UI of the number of retries that the user can request a
reset-email password email. For example, setting a restriction of four
requests maximum in ten minutes would avoid triggering our alerting
system. This is not the exact quota, but I am giving you a good limit
that you can set in your application.
The access token which is returned after hitting 'oauth/token' expires after 3600 secs (1 hour).
I understand as per the docs that this is the max time given to a user and after that the token has to be refreshed.
My question is is there a way to decrease this expiry time? I mean If we want a specific user to access an application for 30 mins only. So, how is that is possible?
is there a way to decrease this expiry time?
No, the token is configured by Firebase Authentication, and there is no mechanism provided to change that. You can instead write your own code to check the expiration on the token and refuse to accept it based on your own logic.
We are using calendar API of google and it's working fine and we have achieved almost each requirement.
But we stuck at below point,
How to generate new "Refresh Token" once it's revoked or expired?
Also I need more information on when "Refresh Token" expire and how would I know the life of this refresh token, so I can automatically create new before it expired?
Any answers is highly appreciated.
You may want to check this related SO post, refresh token doesn't expires unless the user revokes it. Until it does, your app must catch this issue then ask the user for permission in order to avoid encountering such problem. Here is the link for the documentation of Google:
Save refresh tokens in secure long-term storage and continue to use
them as long as they remain valid. Limits apply to the number of
refresh tokens that are issued per client-user combination, and per
user across all clients, and these limits are different. If your
application requests enough refresh tokens to go over one of the
limits, older refresh tokens stop working.
If you'll continue reading until Token expiration:
You must write your code to anticipate the possibility that a granted refresh token might no longer work. A refresh token might stop working for one of these reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
Hope this clarifies your concern.
In Webserver Grant Flow
After I obtain the Authorization Code from the authorization authority (after the user has authorized my access) how long is that code usually valid form?
The reason i am asking is, can my webserver store that code and use it in later sessions to retrieve a new access token without the need for the user to re-authenticate again? Should that be the flow?
FYI my goal is make requests from Adobe Analytics and Google Analytics on behalf of my customer. So i would want to ask my customer for authorization once until he revokes my access.
Speaking strictly of Google Oauth. There are three types of codes or tokens you should be aware of.
Authorization code
Access token
Refresh token
Authorization code is return when the user clicks accept to your application accessing their data. This code is used to exchange for an access token and a refresh token. This code can only be used once and is extremely short lived 10 minutes I believe.
Access tokens are used to access private user data. They are valid for approximately one hour.
Refresh tokens are used to gain a new access token when the access token has expired. For the most part refresh tokens do not expire however if it has not been used for six months it will no longer be valid and of course the user can always remove your access.
Answer: No storing the authentication code would be pointless. You will need to store the refresh token. make sure you are requesting offline access of your users.
I cant help you with adobe analytics however I suspect it is similar this is standard Oauth protocol we are talking about.
I have to admit the process of renewing an expired token at the server-side, because the FB user has logged out, confuses me. The solution to handle expired tokens, as presented on this page, would only seem to work if the user was viewing a server page that could prompt said user to re-authorise the app (JS location.href redirection to a FB dialog URL).
What if a server side app has saved the access token because of some processing that will take some time first? If after some hours/days the server wants to post something to the user's wall, using the either the short or a long term token, but the user has logged out of Facebook - what then? Sure, the request will fail because of the logged out status of the user, but this seems to me to also mean the server will have no valid way of posting to the user's wall until they log back in to Facebook (and the app happens to try to post again at the right time).
Am I right here or missing something obvious? Seems a crazy scenario to prevent a server-based application from posting to a pre-authorised user's wall just because said user has logged out (which i'm sure many, many users do on a regular basis). Why does logging out == deauthorising the access token? And, if the user logged back in, does the existing access token become valid again, or is a whole new token required (assume we have obtained a 60 day token)?
Why does logging out == deauthorising the access token?
It doesn’t. A long-term access token doesn’t get invalid just because the user logs out of Facebook!
So get a long-term one, valid for sixty days – and you’re good to go to post or do whatever a few days after requiring the token. If the 60 days are over and the user hasn’t interacted with your app since, then you have to have the user come back to your app to get a new token.