I recently updated to the new Paw 3.
For our API we user OAuth2 authorization.
Ever since the update, the tokens do not automatically refresh. Are there any settings I need to edit? The Automatically refresh or get token option on all OAuth2 screens are turned on.
Related
I am working on project using Next JS + NextAuth package. For user authentication we are using NextAuth with Custom Credentials provider. I am making a sign in REst API request to Firebase to get the user logged in and saving all necessary bits like Firebase tokens(access and refresh) in JWT.
The flow works.
Where i am stuck: Changing user password.
Password change is pretty straight forward using firebase client SDK. But I am using Firebase API:
https://firebase.google.com/docs/reference/rest/auth#section-change-password
the flow to change password requires:
Provide latest access token in API request above.
If the latest Access token is not provided, the API would send back error like: TOKEN TOO OLD or RE AUTHENTICATE
So this to work, we need to reauthenticate the user prior to making that change password request.
What I have managed to do:
When user request password change, user needs to provide current password.
Using the current password, i would re sign in user using API end point:
https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password
This would work but now I need to update the latest access token in the JWT using NextAuth.
At this point i am stuck:
Refreshing the JWT using Next Auth; as soon as the user is re-signed-in and again when password is changed and new access token is sent back from Firebase.
When I try to refresh the JWT with new access token (etc) token using NextAuth client side callback: https://next-auth.js.org/tutorials/refresh-token-rotation
The application breaks due to access tokens are not synced on JWT and on firebase.
Questions:
Is my flow correct changing the user password?
Is there better way of doing this?
Any help is appreciated. Thanks
We have a REST API (Python + Flask) that is exposed to external users through Google cloud functions. We also have a web application (React) that uses this API to show the results on the web. So we have two interfaces for our functionality: REST API and Web.
Now as per the new requirement we are implementing user Registration / Sign-in module (using Email & Password) on our website So that only registered / signed-in user can see the results on Web site.
We are planning to use Firebase. Integrating Firebase Client SDK in our website was straight forward (a new login page added so that users can sign-in and once logged-in, they will remain logged in until the browser cookies are cleared).
We want to have similar authentication for our REST API’s users as well. The API user will first register himself on our website. We’ll expose one more REST API SignIn where he will pass registered email & password, which we will valid using Firebase SignInWithPassword (Firebase Admin SDK / Firebase REST API) and return the ID Token / Refresh Token. Now while using any other exposed API the user needs to send these tokens IDToken / RefreshToken , which we will validate using VerifiyIDToken().
The problem is that ID Tokens are short lived (1 hour expiration), and after that VerifyIdToken will fail. Now we don’t want API user to either call SignIn API again to get new ID Token / RefreshToken or to visit our website to get any such token.
Is there is any way we can refresh API’s user ID Token without asking him to sign-in again?
Manage Tokens on Web Client
The website client code can call User.getIdToken(forceRefresh?: boolean):
Returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one.
This would need to be called each time a token is sent to the server.
Alternatively, user sessions may be managed via session cookies.
Manage Session Cookies
Firebase Auth provides server-side session cookie management for traditional websites that rely on session cookies. This solution has several advantages over client-side short-lived ID tokens, which may require a redirect mechanism each time to update the session cookie on expiration:
Improved security via JWT-based session tokens that can only be generated using authorized service accounts.
Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom claims) as the ID token, making the same permissions checks enforceable on the session cookies.
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
Flexibility to enforce cookie policies based on application requirements: domain, path, secure, httpOnly, etc.
Ability to revoke session cookies when token theft is suspected using the existing refresh token revocation API.
Ability to detect session revocation on major account changes.
For firebase, I'm using custom authentication because our organization uses CAS for single sign on.
Does custom authentication handle refresh jwt tokens automatically or would I need to develop a refresh workflow within my app?
I am not creating custom tokens using a third party library. My token is created via var token = firebase.auth().createCustomToken(uid, additionalClaims) as described on https://firebase.google.com/docs/auth/server/create-custom-tokens. But this page doesn't mention anything about refresh tokens.
My clients are mainly web, and I've found notes that if you use the Android SDK, this refresh happens automatically. But I'm unsure about refresh tokens and web clients for custom authentications.
After you create the custom token using createCustomToken, you pass that token to the web client and call firebase.auth().signInWithCustomToken(token). The promise returned will resolve with a firebase User. The onAuthStateChanged listener will trigger as expected. A firebase Id token will be available. The token will be refreshed every hour and will be handled by the Firebase SDK. Anytime you call a user method or getToken on user, the token will be automatically refreshed if the old one was expired.
I'm using Custom Token Authentication for my firebase app.
I will need to fetch the token from my server wherein the user needs to login first. I'm thinking of utilizing a popup.
But how do I pass to the opener (parent window) the retrieved token by the popup?
Firebase authentication uses pop-ups or redirects for OAuth authentication because a user's browser needs to be sent to the third-party OAuth provider (Google, Facebook, Twitter, etc.) in order to authenticate.
If you have your own authentication system, the simplest and easiest thing to do would be to use form input on a page, communicate with the server via XHR, and then update your UI to reflect that the user is now authenticated.
That said, if you're set on using a a new browser window / pop-up for authentication, check out Mozilla's open-source library github.com/mozilla/winchan which makes communicating between host pages and pop-ups fairly easy.
You may create a popup window for custom Firebase authentication as described in this example for Spotify OAuth: https://github.com/firebase/functions-samples/blob/master/spotify-auth/public/popup.html
Also you may use in the main application window firebase.auth().onAuthStateChanged() to listen to the Firebase user change event like in the example: https://github.com/firebase/functions-samples/blob/86f9e135af344b2e9268c055a9a1bcb00a7e7c0d/spotify-auth/public/main.js#L36
How does it work? Excerpt from the readme:
The ./popup.html receives the Custom Auth Token and other data back
from the AJAX request to the token Function and uses it to update the
user's profile, saves the access token to the database, authenticate
the user in Firebase and then close the popup. At this point the main
page will detect the sign-in through the Firebase Auth State observer
and display the signed-In user information.
I need to refresh the user linkedin access token without them having to go through the initial authorization process all over again. I have also looked at this documentation http://developer.linkedin.com/documents/exchange-jsapi-tokens-rest-api-oauth-tokens, but It doesn't work because my users authorize the app through regular OAuth and the article uses the JS OAuth. (Not sure, if there is a difference between two processes, and if there is a difference between access tokens received from each process). Even though, I'm already logged in another tab on the same browser,
it always prompts me to login to LinkedIn.
If I try IN.User.isAuthorized() it returns false though I'm logged in into LinkedIn and I can't seem to be able to refresh the token.
If I pass the user LinkedIn access token from my server to the JS and the user LinkedIn id IN.User.isAuthorized() always returns true even when I'm not logged in
So what I'm trying to ask is, is there a way to refresh the user linkedin oauth token thorguh JS when the user is logged in to linkedin on the same broswer like we are able do for facebook ? and what is it ?
You cannot refresh the token without the member being at your application.
If you want to refresh the token, the member needs to be there and you need to direct them through the authorization page. If they're signed in to LinkedIn, this will be a seamless refresh and we'll redirect page to your application.