I have an MVC app, like explained here: https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web-applications-aspnet-mvc
From Javascript I make AJAX calls to some Action that uses Google API to get message from Gmail.
At first everything works fine, but after some time I keep receiving
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Can someone explain to me what that means and why I am getting this error ???
Cheers
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Means just that the user has revoked your access to their data you will need to request authentication again.
One thing you need to remember is that while testing. If you request access from yourself you grant it get a refresh token, do it again you get another refresh token. They both will work. You can do this up to 26 times and have 26 technically live and active refresh tokens for an application. Once you do it the 27th time the first one will stop working normally you just get an invalid grant error.
Token has been revoked normally means that the user has revoked access in Google but it might be different with Gmail.
Update 2021:
Invalid grant means that the token you have no longer works. As of 2021 google has made a change which will cause all refresh tokens to expire after seven days if the project that created it is still in the testing phase. The solution is to move your project to production and then your refresh tokens will last longer then seven days.
Related
I'm in the process of rebuilding an existing web app, that uses JWTs to manage authentication. I'm still new to JWTs, so I'm learning about how they should work, while, at the same time, trying to understand why the web app's current implementation is the way it is.
The current version's flow is as follows:
When a user successfully logs in or registers, a user object is returned along with a JWT property. This JWT is included in subsequent API calls as an Authorization header.
Every ten minutes, a get request is made to API endpoint /refresh-token.
If successful, the response body contains a success message, and the response header contains an updated Authorization header.
All subsequent ten-minute timed get requests to /refresh-token use the original JWT that was returned in step 1, and so on.
From what I've read so far, this doesn't correlate with any recommended approaches.
Is it safe enough to replicate this flow in the newer version, or is this something I'm better off not replicating?
Edit: I'm working solely on the front-end - the API isn't being updated for a while, so I'm limited to what it currently returns.
I believe this article summarizes the current state of the art: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/. You usually have two tokens. Access token which is short lived and an refresh token, which lives longer. This way you don't need to call the auth server every x minutes, but you can do it on demand.
I don't know if you need to deal with blacklisting too? I believe blacklisting is easier when you have a separation of access token and refresh token (only refresh token needs to be blacklisted). But I believe you could deal with this problem too, probably in a bit more sophisticated manner.
Having said that. What you have is not wrong. It's hard for me to point out any flaws in the way you are doing besides of what has been pointed out above.
I have an instagram feed on my website, i created a developers.facebook.com account and made a long lived access token.
However after 60 days I have to log back in and get a new token.
You can renew an access token before it expires.
My question is... can I or should I just create a script that renews the long lived access token server side every time the page is refreshed?
Seems a bit annoying to do that to instagram servers... but what other methods would I have.. i don't know how to run a script every 59 days to get a new token..
Any ideas?
Thanks
The renewal can be done only on tokens that are older than a day, so running it before that will make no difference. So, with that in mind, I run the refresh code with every call to the API. If it's already refreshed it will be ignored, so practically it will only get refreshed once a day.
Also, it's worth noting that Instagram limits the number of calls that you can make, so calling the API with every page refresh doesn't sound like a good idea. To avoid running out of quota, I cache the results and only call the API once per hour.
Here's a more detailed explanation of the exact steps that I took. It's been written with WordPress in mind, but for the most part, it doesn't matter much.
I need to add only my personal Instagram posts to my personal website so I can use them as portfolio.
I don't want to do authenication every request is made and I don't want to use legecy api.
There is some answers here and there, some of them are outdated and some are incomplete (doesn't answer this question). I am looking an answer which summarize this and which I can go back to when I need.
Assuming you already created a Instagram app, got a 1 hour token.
First you do something like this:
GET https://graph.instagram.com/access_token
?grant_type=ig_exchange_token
&client_secret={instagram-app-secret}
&access_token={short-lived-access-token}
This will give a 60 days access token
Source
Once you got the the long-lived token, you can make a GET requst from this endpoint: https://graph.instagram.com/me/media
Add the token:
../me/media?access_token={access-token}
You can add also these some of these fields:
.../me/media?fields=media_url,thumbnail_url, caption&access_token=access_token={access-token}
This should return a json file that include things you need to do the portfolio.
Keep in mind that the token lasts only for 60 days and you need to refeash it once this time is over:
See this for more information
I've come across the same issue and I've gathered up my findings on a step-by-step guide. Here are the key points:
You need to go and create an App on developers.facebook.com and generate a Long-lived token (there is no need for post requests. The token can be generated with the click of a button).
To fetch the photos, you need to make more than one call to the API. One for fetching the photos' IDs and then, one separate call for each ID to get the actual data (permalink, image URL, caption, etc).
There is a limit to the calls that you can make per hour, which, as I realized, can be easily reached on a site with moderate traffic. So, you have to somehow cache the results (on WordPress, I used a transient for that which seems to work fine).
The token expires after 60 days and you need to refresh it on time for your app to keep working.
To make things easier for future implementations, I also made a small PHP function that takes care of all of the above (except the token generation). It will make the necessary calls, store the response in a transient which expires after an hour, and refresh the token, if it can be refreshed.
I'm developing a new web app with NodeJS and ReactJS and I'm using JWT for authentication. The client side sends a request to /login using axios.post(), the server checks the data entered by the user and returns an access token with an expiration time of 5 minutes and a refresh token. I use Redux to save tokens at the app level state. On next requests, the client side sends back the token to the server.
My questions are:
1) Is there a way to open multiple tabs and recover the state of the first tab opened and when the user logs out of a tab, he is logged out of all tabs? (Facebook uses this method)
2) Imagine I connect to the website at a friend's place and when I leave I forget to disconnect, is there a way to disconnect from all the devices when I get home? (Facebook uses that too)
3) Is it possible to automatically delete the tokens in the app level state after X seconds / minutes only when tabs are closed and continuously refresh the access token otherwise?
Thank you in advance
No answer to your post after 9 days. Too bad, let me help you out.
To get the closest representation of what you want i would use a SameSite Cookie.
They're always on all Tabs and you can also expire them after a period of time.
Cookie will get deleted and you'll be logged out.
In order to work with devices you can use a blacklist on your refresh tokens, although this is against the principles of JWT it is still a possibility.
SameSite Cookies spread over all tabs
The Cookie can be send with all requests in the header (use strict mode)
Deleting the Cookie results in a logout
Blacklisting the Refreshtoken JWT will result in a logout of the user aswell.
Would recommend you to read about the SameSite cookie (strict). You'll be surprised because there's not alot of people who know about it.
If i can be of any help feel free to contact me through DM.
I am fairly sure my application is handling most things properly as it works 88-92% of the time, but way too often I am getting the following error:
(OAuthException - #200) (#200) The user hasn't authorized the application to perform this action
I don't understand how this is possible. When the user is requested to authorize the app, I do not see any way for them accept a subset of the permissions required (it's all or nothing). If they proceed, and I get an auth token, doesn't that mean my app has the needed access? If not, how are users doing that, and how can I prevent or at least detect it?
In terms of background, my application is a kiosk application that takes the user's photo and allows them to post it (or, more precisely, a link to it) on their facebook timeline. The kiosk gets the user's authorization, then passes the token and all other data to a central web service that then communicates with Facebook. This has been working 88-92% of the time for the past week. Despite no code changes or application configuration changes, prior to the past week it had been working 93-96% of the time for the couple weeks prior to that, and about 98% earlier than that.
Is there any way I can provide some details (usernames and auth tokens) to facebook for more analysis? PLEASE HELP!