When do Passport Personal Access tokens exactly expire? Is it one year or they never expire?
In the doc, it says "Personal access tokens are always long-lived. Their lifetime is not modified when using the tokensExpireIn or refreshTokensExpireIn methods."
How much is long-lived? Is there any way to make them NEVER expire?
It is 1 year from date of creation.
Related
I need to get access token with expiration date as infinite.
I am using AcquireToken method which generates token with expiration time as 1hour based on UTC.
I need to use this access token for Add-AzureRmAccount command (Need example command for this too for successful login)
How to generate access token without any expiration in c#.
Please help me to work on this scenario.
Thanks in advance.
As Gaurav mantri mentioned that access token without any expiry is a major security risk. And it is not allowed in the Auzre. From Configurable token lifetimes in Azure Active Directory (Public Preview) document, we could know that the default expiration of access
token is 1 hour, and the max is 1 day.
How to generate access token without any expiration in c#.
Simple answer is that you can't and you shouldn't. Access tokens are returned by Azure AD and their expiration is set there only i.e. it is not in your control.
Also, getting an access token without any expiry is a major security risk (that's why "you shouldn't" remark above).
If you're using any Azure AD SDK (ADAL for example), it takes care of automatically renewing your access token so you don't have to worry about renewing that.
I made An app (which is Live now and) it Uses Instagram API.
It uses one access token per hour. (which is far away from limit 5000/hour)
But What I see that say if 25 users gave access to me than each day 2 to 4 user's access token become invalid (seems randomly).
But Instagram says that:
Even though our access tokens do not specify an expiration time, your
app should handle the case that either the user revokes access, or
Instagram expires the token after some period of time. If the token is
no longer valid, API responses will contain an
“error_type=OAuthAccessTokenException”. In this case you will need to
re-authenticate the user to obtain a new valid token. In other words:
do not assume your access_token is valid forever.
I confirmed that none of these "Revoked Access".
Is there any reason that why its happening.
Or any platform where I can contact Instagram and ask the reason.
So that I can avoid it. (if I 'm doing something wrong)
Unfortunately, the tokens have a tendency to (seemingly) randomly expire. I think the reason is that Instagram doesn't want a single token to grant full access to a user's content without expiration.
Instagram expires the token after some period of time
I would recommend having the user re-auth through Instagram to get a fresh token, as they suggest, and making sure that you are able to handle that OAuth exception when it happens.
In this case you will need to re-authenticate the user to obtain a new valid token.
do not assume your access_token is valid forever.
Also, since the permissions update on 2016-06-01, Instagram has been somewhat hostile and generally unhelpful toward 3rd party apps, so it's not really worth contacting them.
what are the reasons that the access_token instagram becomes invalid. I've noticed that there is no time expiration of the token?
Does someone know how to avoid it?
thanks a lot for your replies
Your all answers are given here in this document:
https://www.instagram.com/developer/authentication/
Important
Even though our access tokens do not specify an expiration
time, your app should handle the case that either the user revokes
access, or Instagram expires the token after some period of time. If
the token is no longer valid, API responses will contain an
“error_type=OAuthAccessTokenException”. In this case you will need to
re-authenticate the user to obtain a new valid token. In other words:
do not assume your access_token is valid forever.
So Token expire in two case
User revoke access
After some time (No specific time interval)
Does someone know how to avoid it?
No. Ther is no way to avoid it because that is for security reason. Avoiding it is compromising the security of the user and Instagram definitely don't want that.
So the only solution (And proper way) is to handle OAuthAccessTokenException
Recently, I implemented the JWT strategy using passport and node.js... however, I am beginning to worry about the concept in general. Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?
I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway? I am sure that I missing the point here somewhere. Guidance would be appreciated. Thanks.
Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?
Generally speaking, it shouldn't be an issue if the user can access their own JWT -- because they're the one who is allowed and should have access to that token. (Which is what Dev Tools would allow you to access, but not other people's tokens.)
It becomes an issue when someone else can access that user's JWT, which is when things like using SSL/HTTPS show their value (because encryption prevents another user from sniffing traffic and retrieving the JWT, for example). This is a fairly broad topic to try and cover though, but ultimately if someone else can access some random user's JWT then there are security issues, yes. It's not strictly related, but I enjoy this Auth0 article which talks about the differences between JWTs and cookies (which you may already understand -- and hence it may useful/interesting) and some of the related security concerns and how JWTs fit in to the picture.
I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway?
The token's expiry is stored within the body of the token (under a exp key), hence the token's value does change whenever a new token is generated with a different expiry time. RFC7519 states the "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim., hence if the library you're using is acting correctly in this regard, then a token with an exp value in the past won't validate correctly and hence the token is unusable.
I have an app, that pulls data from my Instagram account.
I authorized this app once, and got access token. But I'm worried,
what if this token expires? Should I authorized the app each time the
token expires?
Can I receive another access token from the auth code?
If no, what can I do to have my app always pulling data from account
without my participation?
Thanks.
But I'm worried, what if this token expires?
AFAIK, Instagram accesstokens don't expire currently.
Note: From Instagram documents.
Note that we do not include an expiry time. Our access_tokens have no explicit expiry, though your app should handle the case that either the user revokes access or we expire the token after some period of time. In this case, your response’s meta will contain an “error_type=OAuthAccessTokenError”. In other words: do do not assume your access_token is valid forever.
Should I authorize the app each time the token expires?
At the moment, you do not need to do that, as token does not expire. As and when the token expires in future, a corresponding warning or error code and message will be sent to you, which you need to handle.
what can I do to have my app always pulling data from account without
my participation?
You can try following:
Use sharedpreference to store the accesstoken.
First time when you try to fetch data that needs accesstoken(Authenticated requests), first check in the sharedpreference whether the accesstoken is stored or not.
if yes then you don't need to login, just use that accesstoken. If you don't have the accesstoken in preference then do the login using instagram credentials, get the accesstoken and then share it in shared preference and use that for subsequent requests.
You can provide instagram logout option in which you just need to clear the accesstoken from sharedprefernce.
Hope this is helpful to you.
Update - This no longer works as mentioned in the comments
While not well documented, It's worth pointing out that retrieving a feed of posts does not require an accessToken.
https://api.instagram.com/v1/users/{user-id}/media/recent/?access_token=ACCESS-TOKEN
can also be called passing just your client_id
https://api.instagram.com/v1/users/{user-id}/media/recent/?client_id=CLIENT_ID
This isn't made clear in their documentation though.
https://instagram.com/developer/endpoints/users/
The Instagram access token expires at arbitrary times.
Twice in the in the last 7 months from my experience.
I did not find any way to regenerate the token without my participation, the only valid solution IMHO is to avoid the official API and use something like:
https://stackoverflow.com/a/33783840/
For the last 3 week, I have created new token multiple time and its expire after 2 days, but I also notice that some token didn't expired which were created before 3 years. Also, Instagram docs say the token can expire any time in the near future.
There is a hack at this moment to show the user's last post just append URL with `/?__a=1''
after user name such as
https://www.instagram.com/vaseem.ishak/?__a=1
you will get user last post with image text, no of comment like etc.just dig little the return JSON