I am working on Power BI reports and integrating it into an app using sample code provided by Microsoft in Github. Client ID and the secret key should be copied into config file after registering the app in Azure Active Directory. I am able to get the access token using the dashboard sample where the user needs to log in and generate embed URL. Does anyone know how to refresh the token or extend the expire time as for now, it has only 1 hour after that report doesn't work?
Thanks.
You can refresh the access_token by submitting POST request to the /token endpoint
With grant_type=refresh_token , please click here for how to refresh token in OAuth 2.0 auth code grant .
With ADAL 2.X version , you could use AuthenticationContext.AcquireTokenByRefreshToken function to acquire a security token from the authority using a Refresh Token previously received .
But with ADAL 3.X version, it won't expose refresh token and AuthenticationContext.AcquireTokenByRefreshToken function has been removed . ADAL caches refresh token and will automagically use it whenever you call AcquireToken and the requested token need renewing(even you want to get new access token for different resource).
More background at http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/
To extend the expire time of access token , you could refer to document :Configurable token lifetimes in Azure Active Directory
Related
I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.
I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.
I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862
This is what I've done:
Registered an Azure App: (Image of my Azure App Overview)
Created a client secret in the App dashboard: (Image of the client secret page)
Successfully sent a request to https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/token using the client secret in Postman: (Image of Postman request)
The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.
How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?
I wrote this gist to guide you into getting Sites.Selected access to the desired site:
https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542
This guide shows you how to configure this as Application permissions, and via the Graph API.
I've found going through the Graph API is the best way to go.
Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.
In the guide is described that you have to get a delegated auth token from graph but you are getting an application auth token. The token response of this flow does not contain a refresh_token. See here.
But you already wrote that you are not able to provide a user sign-in experience. One workaround would be to once manually get the access_token and refresh_token of a user with the delegated flow and then periodically get a new access_token with the refresh_token on your server. You could store these values in your database and update them when you fetch a new one.
First, the daemon-based client credential flow does not return a refresh token for you. You also can't redeem the refresh token of the graph API for an access token for SPO, which are two completely different API resources.
To get an access token for SPO you just need to set scope to: https://{tenant-name}.sharepoint.com/.default.
I have created an appian Connected System for DocuSign authentication with Authenticate Code Grant. I am able to authenticate & hit APIs successfully. But the issue is my token gets expired every 8 hours, then I have to go and authenticate from Connected System file again.
Please help me understand how can I refresh my token when its expired/about to expire.
I can explain how refresh tokens are used to generate a new access token.
However, this may not be possible with Appian, I am not sure about that, because I'm not sure about how Appian works.
First, you have to store the refresh_token you got when you used Auth Code Grant to get the original access_token that expired. That token can used to get another access_token later.
To get a new access token, use the refresh_token as you would an authorization code, but with a grant_type value of refresh_token and a refresh_token parameter that holds the contents of the refresh_token.
Read more in this Developer Center page
Azure AD is granting my application access tokens and a refresh token. When I use the refresh token to get a new access token, in return I get a new access token and a NEW refresh token.
Azure AD does not specify like Google Suite how many refresh tokens are allowed. But to the root of the problem, I don't want a refresh token being recreated and sent back, every time I use a refresh token. What is happening here? How do I stop this?
Returning of new refresh token is part of the OpenID Connect Protocol Specification which references the OAuth Authorization Framework section 5.1 for clarity.
Indeed the return of a refresh token is optional, but the implementation in Azure AD is so that it always returns a refresh token. I personally see no issue with it. Just throw away the last saved refresh token and keep the new one you got.
You cannot control this, it is done by design. It is also in complience with the OAuth 2.0 spec:
The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and,optionally, a new refresh token).
As for "floating out there", this only happens if you make it happen. If your app "forgets" the old refresh token then it is gone.
On my localhost, I have authenticated my user and goten a Refresh Token and Access Token using Passportjs.
I am using Google's Official Node.js library to get the Google Analytics data and it all seems to work fine.
On this GitHub issue, Justin clearly mentions that the expiry is set by Google's APIs.
How long is the refresh_token valid and at what time do i have to authorize myself again?
This is more of an Oauth2 question then a Google Analytics question.
Access tokens on google servers are good for one hour.
The refresh token does not expire and you can use it as many times as you want to request a new access token.
You should still handle invalid refresh tokens in your code. The user can revoke your access via there Google account. You can have max 50 out standing refresh tokens before the first one starts working. If i authenticate your application you will be given a refresh token if i do it again you get another refresh token there can be max 50 of them outstanding.
If the refresh token does become invalid you should just request authentication from your user again. The library you are using should be handling refreshing the access token for you.
I setup a new key for Public API access for a server application under my the APIs & auth > Credentials screen on the Google Developers Console.
Doing a YouTube data api request just stopped working and as a last ditch effort I regenerated the key. Now I'm seeing that the status row now states that it will be active until 1 day in the future. Why? I want this key to be active forever.
Is this Google's way of forcing me to use oAuth on a server app?
When using OAuth 2.0 you'll go through the OAuth flow and end up with an Access token and a Refresh token.
The Access token is short-lived and will expire relatively quickly. The Refresh token is long-lived and might expire in a year, or maybe never.
You can Refresh your Access token and use the new token that you receive:
Check here for documentation