I need to add extended scope so that my token will last for 30 days before expiration. Where do I set it? Is it at token generation as per below
curl --header "Authorization: Basic BASE64_COMBINATION_OF_INTEGRATION_AND_SECRET_KEYS" --data "grant_type=authorization_code&code=YOUR_AUTHORIZATION_CODE&**scope=extended**" --request POST https://account-d.docusign.com/oauth/token
or at refresh token:
POST https://account-d.docusign.com/oauth/token Authorization: Basic BASE64_COMBINATION_OF_INTEGRATION_AND_SECRET_KEYS grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN&**scope=extended**
See documentations: https://developers.docusign.com/platform/auth/authcode/authcode-get-token/
First of all, the extended scope is used in addition to the signature scope, not as a replacement.
Second, this scope is requested at the time of consent.
Third, this scope does not affect the access token life. Instead, it means that when you use the refresh token you are refreshing the refresh token as well, such that you get a further 30 days before the refresh token expires.
The extended scope is ideal for integrations in a business app that is used quite often by the user. As long as they are using the integration on a recurring basis, such as an app that is used daily or weekly, then as long as they don't go on an extended holiday, they will not need to re-authenticate. However, they will need to if they missed a 30-day expiration period. This gives regular use users convenience while still maintaining a reasonable level of security.
The extended scope is needed when you originally consent and get the token from the user so that the refresh token will not expire for 30 days. It is not needed every time you use said refresh token to obtain a new access token.
See this solution on Stack Overflow.
Related
Most of our clients are having no issues whatever with our system. We have an integrator key and our users do an initial link up for integration using OAuth on REST. We store the access/refresh tokens. Works fine. At some point down the road some clients seem to randomly hit this.
We are using OAuth with the REST API and always get a new access token using the client's refresh token if their access token is within 30 minutes of expiring.
Q: If a client's access token expires before they make a subsequent call (some of our clients might go 30 days before having another document to sign) to get a new one with the refresh token can that cause this?
Q: Can the refresh token expire such that they would get this?
Q: Short of the client manually revoking access to the integration on their DocuSign account, what else could cause this?
If you get this error then you need to restart the oauth flow again.
A refresh token does expire at some point. When it expires is a policy issue. To achieve the longest possible refresh token lifetime, request scope extended in addition to signature.
Re:
Q: If a client's access token expires before they make a subsequent call (some of our clients might go 30 days before having another document to sign) to get a new one with the refresh token can that cause this?
A: I'm surprised that you're getting this specific error, but I haven't tried this for awhile. I'd think the error would have a different name.
Q: Can the refresh token expire such that they would get this?
A: Same answer as above re the specific error name. In any case, a refresh token can definitely expire. Requesting the extended scope should minimize this, but at some point an account may set a policy that will also expire extended scope refresh tokens. Bottom line: your app needs to be prepared to ask the user to go through the entire OAuth Auth Code Grant flow again.
Q: Short of the client manually revoking access to the integration on their DocuSign account, what else could cause this?
A: Using the wrong base url for the user. Also, at some point there will be organizational controls that can force policies upon the org's accounts. (Organizations own and control accounts.)
the documentation from this link, said that Refresh tokens have a longer lifetime than access tokens, and you can use them to get new access and refresh tokens.. How long exactly before the refresh token expires in terms of seconds.
Thanks in advance.
[I work for DocuSign. I consulted with the DocuSign Authorization engineering team to prepare this answer.]
The lifetime for refresh tokens vary depending on a variety of authentication policies.
After it expires, the client uses the Authorization Code Grant flow to request new tokens.
Since the human needs to be present whenever the Authorization Code Grant flow is used, this authentication technique should only be used for integrations where the authenticated user is present ("User Applications").
Other authentication techniques should be used for "Service Integrations."
Added
Not all Refresh Tokens in the DocuSign system have the same lifetime. Some will last for x amount of time, others will last for y amount of time. Why some will last for x and others for y depends on various authentication policies:
DocuSign platform policies
Account (customer) policy
The type of authentication that was performed when the user logged in
Etc
Re: other companies just use "14 days." DocuSign authentication enables the authenticated person to sign legal documents. So the question of the DocuSign token lifetime is not simple.
Bottom line: test your app to ensure that it gracefully handles expiration of both access and refresh tokens.
Added Aug 2018
Access Tokens received via the OAuth Authorization Code Grant flow usually have an 8 hour life. The accompanying Refresh Token usually has a 30 day life.
If extended scope is not requested in the authentication flow, then the Refresh Token, when used will return a new Refresh Token that will have the same expiration date as the original.
But if extended scope is requested, then, when the Refresh Token is used, the returned (new) Refresh Token will normally be good for an additional 30 days from that time.
So if extended scope is requested, and the user logs in at least once every 30 days, then the original and newly provided Refresh Tokens will enable the user to never have to re-authenticate himself or herself.
I'm currently using my own Instagram account (not that of my users) to get an access_token, and thus I don't need to create an explicit server-side authentication flow for myself to get the code. I can then use the code programmatically to get an access_token without any human interaction.
My question is, for the purposes of an app that only requires the owner's code to get an access_token, does Instagram let you reuse the same code so that you don't have to keep manually entering a new one?
Thanks :)
If you are only using a single account, there is currently no need to request new access tokens repeatedly. You should be authenticating one time, and storing that access token to use with calls to the API endpoints.
Instagram access tokens currently have no set expiration, however may expire at any time in the future. So you may reuse the token indefinitely (for now), but build the system to be prepared to request a new token in the event that the stored token expires.
Per http://instagram.com/developer/authentication/:
Note that we do not include an expiry time. Our access_tokens have no
explicit expiry, though your app should handle the case that either
the user revokes access or we expire the token after some period of
time. In this case, your response’s meta will contain an
“error_type=OAuthAccessTokenError”. In other words: do do not assume
your access_token is valid forever.
I have an app, that pulls data from my Instagram account.
I authorized this app once, and got access token. But I'm worried,
what if this token expires? Should I authorized the app each time the
token expires?
Can I receive another access token from the auth code?
If no, what can I do to have my app always pulling data from account
without my participation?
Thanks.
But I'm worried, what if this token expires?
AFAIK, Instagram accesstokens don't expire currently.
Note: From Instagram documents.
Note that we do not include an expiry time. Our access_tokens have no explicit expiry, though your app should handle the case that either the user revokes access or we expire the token after some period of time. In this case, your response’s meta will contain an “error_type=OAuthAccessTokenError”. In other words: do do not assume your access_token is valid forever.
Should I authorize the app each time the token expires?
At the moment, you do not need to do that, as token does not expire. As and when the token expires in future, a corresponding warning or error code and message will be sent to you, which you need to handle.
what can I do to have my app always pulling data from account without
my participation?
You can try following:
Use sharedpreference to store the accesstoken.
First time when you try to fetch data that needs accesstoken(Authenticated requests), first check in the sharedpreference whether the accesstoken is stored or not.
if yes then you don't need to login, just use that accesstoken. If you don't have the accesstoken in preference then do the login using instagram credentials, get the accesstoken and then share it in shared preference and use that for subsequent requests.
You can provide instagram logout option in which you just need to clear the accesstoken from sharedprefernce.
Hope this is helpful to you.
Update - This no longer works as mentioned in the comments
While not well documented, It's worth pointing out that retrieving a feed of posts does not require an accessToken.
https://api.instagram.com/v1/users/{user-id}/media/recent/?access_token=ACCESS-TOKEN
can also be called passing just your client_id
https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id=CLIENT_ID
This isn't made clear in their documentation though.
https://instagram.com/developer/endpoints/users/
The Instagram access token expires at arbitrary times.
Twice in the in the last 7 months from my experience.
I did not find any way to regenerate the token without my participation, the only valid solution IMHO is to avoid the official API and use something like:
https://stackoverflow.com/a/33783840/
For the last 3 week, I have created new token multiple time and its expire after 2 days, but I also notice that some token didn't expired which were created before 3 years. Also, Instagram docs say the token can expire any time in the near future.
There is a hack at this moment to show the user's last post just append URL with `/?__a=1''
after user name such as
https://www.instagram.com/vaseem.ishak/?__a=1
you will get user last post with image text, no of comment like etc.just dig little the return JSON
We have a standalone Java application (see "Installed application") which runs periodically and uses Google API (updates some information from customer databases/ldap/...).
To access Google APIs we store username and password in configuration file, which is a security risk and customer does not like that. So we would like to use OAuth2 long-living access token instead.
What`s default expiration time for Google OAuth2 access tokens ?
As we will have only access token in application, app itself cannot refresh it when access token expires.
Personally I think that OAuth2 implementation in this case will not bring any major benefit but let`s focus on main question - default expiration times.
You shouldn't design your application based on specific lifetimes of access tokens. Just assume they are (very) short lived.
However, after a successful completion of the OAuth2 installed application flow, you will get back a refresh token. This refresh token never expires, and you can use it to exchange it for an access token as needed. Save the refresh tokens, and use them to get access tokens on-demand (which should then immediately be used to get access to user data).
EDIT: My comments above notwithstanding, there are two easy ways to get the access token expiration time:
It is a parameter in the response (expires_in)when you exchange your refresh token (using /o/oauth2/token endpoint). More details.
There is also an API that returns the remaining lifetime of the access_token:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}
This will return a json array that will contain an expires_in parameter, which is the number of seconds left in the lifetime of the token.
The default expiry_date for google oauth2 access token is 1 hour. The expiry_date is in the Unix epoch time in milliseconds. If you want to read this in human readable format then you can simply check it here..Unix timestamp to human readable time