How do I indefinitely refresh the access token using JMPerez's web api. I use Spotify's Web API tutorial to get the authorization code flow login. But that login only happens once so I get the access token and refresh token once after logging in. How would I continuously refresh the access token?
For now I just redirect to login page when access token times out
Related
I have the refresh token expiry on B2C set to the minimum and I left my account logged in but inactive for the past couple days. Now, I'm receiving logs showing the mobile application is trying to get a new access token using the expired refresh token but I'm catching an error: "time out".
Correct me if I'm wrong but from what I understand, refresh tokens don't expire and I need to manually revoke them then send the user back to log in screen? How do I revoke the refresh token on client side?
Thanks.
If you wish to revoke the refresh token, you can use power shell: Revoke-AzureADUserAllRefreshToken,
or AAD Graph API : POST https://graph.windows.net/{tenant id}/me/invalidateAllRefreshTokens?api-version=1.6 HTTP/1.1.
How to Get User Id_token of logged in user from azure ad without redirect using Client Id and Secret. we are trying oauth library authorize endpoint, but it redirects to call back url. We need just the Id_token of already logged in user.
You must ensure that your application is logged in and has received a refresh token.
Use your refresh token to get id_token directly without having to redirect the url again.
I am trying to revoke a refresh token so that it cannot be used any further to obtain more access tokens via oauth2.
I am using simple-oauth2 nodejs library that wraps the requests to obtain access and refresh tokens. Once I have these tokens, I can use the access token to make graph.microsoft.com calls. When the token expires, I can obtain a new one. This library has a .revoke() method that takes a revoke url. I specify this as http://login.microsoft.com/common/oauth2/v2.0/logout
but the refresh token is still valid.
According to https://support.office.com/en-us/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US
The Azure Active Directory: "An administrator can apply conditional access policies which restrict access to the resource the user is trying to access."
Is it possible to revoke using oauth2 request? I see this https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oidc
which shows the oauth2 logout url /common/oauth2/v2.0/logout.
Azure Active Directory does not support or provide an endpoint for an application to revoke the refresh tokens. The recommended approach is to clear the token cache on logout to prevent the re-use of the token.
A similar post is here: Revoke a refresh token on Azure AD B2C
You can read more about the policies on token lifetimes of refresh tokens here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
How to get authorize and then get access token in Box API using Console or Library project in C#. I have tried authorize API but it returns HTML. I need only THE_AUTHORIZATION_CODE so that it can be passed into Token API for getting access_token.
Or can there be an enterprise access_token which is gotten through the web portal, just like developer token, but which never expires?
Today I discovered that Box is making available a new service called 'Box for Developers' that enables server-to-server token grants and does not require end-user authentication. It's currently in beta. Read more about it.
The BoxDevEditionHelper package provides an implementation of the server-to-server OAuth workflow.
Original Post
How to get authorize and then get access token in Box API using Console or Library project in C#.
OAuth2 requires the user to authenticate with the service in a browser or embedded browser window. There are no exceptions to this requirement.
Or can there be an enterprise access_token which is gotten through the web portal, just like developer token, but which never expires?
No. All Box access tokens expire after ~60 minutes. Access tokens granted through the standard OAuth workflow can be indefinitely refreshed, but the tokens granted through the developer portal do not follow this workflow and thus cannot be refreshed.
I have resolved it By using call oauth2/token API, which returns access_token and refresh_token. access_token will expire as mentioned by #Jonh in above post. But you can store refresh_token in persistence storage. When access_token expires you can get new access_token by using refresh_token by calling same token API.
I am using flicker PHP sdk phpFlickr-3.1 to access media content into a web application. I have successfully obtained the authentication token with required grants. I need to support the logout feature in web application. The logout from web application should either logout from yahoo account or it should revoke grants form authentication token.
Is there any API to logout / expire authentication token / remove grant permission from authentication token?
I'm not aware of an API to explicitly log out. However, you can simply discard the access token that you received from the OAuth workflow, once your access is complete. This will force your application to go through the workflow again, the next time your app needs access. Quoting from the docs, emphasis added:
After the user authorizes your application, you can exchange the
approved Request Token for an Access Token. This Access Token should
be stored by your application, and used to make authorized requests to
Flickr.