DocuSign RestAPI Guide says "Up to 10 access_tokens are supported per userId."
I have been using demo.docusign.net account to create access tokens. More than 10 access tokens are generated by this account using the same Integrator key and username.
There are some posts related to OAuth access token limit
DocuSign OAuth Token error - “An entry with the same key already exists” when access token limit crosses 10.
I verified lists of tokens generated at Preferences -> connected Apps in my DocuSign web console. They are already been crossed 50 and no maximum limit exception been thrown by DocuSign endpoint.
So What is OAuth2 access token limit? Is it only applicable to Production environment?
The user OAuth token limit has been increased in the DocuSign Demo (Developer) environment to 200. The OAuth token limit in production, though, is still the expected 10. Once you try to create more than 10 tokens in production it will error out.
Related
I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.
I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.
I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862
This is what I've done:
Registered an Azure App: (Image of my Azure App Overview)
Created a client secret in the App dashboard: (Image of the client secret page)
Successfully sent a request to https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/token using the client secret in Postman: (Image of Postman request)
The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.
How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?
I wrote this gist to guide you into getting Sites.Selected access to the desired site:
https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542
This guide shows you how to configure this as Application permissions, and via the Graph API.
I've found going through the Graph API is the best way to go.
Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.
In the guide is described that you have to get a delegated auth token from graph but you are getting an application auth token. The token response of this flow does not contain a refresh_token. See here.
But you already wrote that you are not able to provide a user sign-in experience. One workaround would be to once manually get the access_token and refresh_token of a user with the delegated flow and then periodically get a new access_token with the refresh_token on your server. You could store these values in your database and update them when you fetch a new one.
First, the daemon-based client credential flow does not return a refresh token for you. You also can't redeem the refresh token of the graph API for an access token for SPO, which are two completely different API resources.
To get an access token for SPO you just need to set scope to: https://{tenant-name}.sharepoint.com/.default.
Background
We have a feature that syncs calendar entries and contacts between our application and Office365, using the Office365 REST apis outlined here. We are using Version 1 of the API. For authorization we are performing authorization via Azure AD as outline here.
Problem
In the normal case (when using Office365 accounts purchased directly from Microsoft), our system works as expected: we are able to refresh the user's tokens when they expire and are returned a new access and refresh token in exchange.
In the second case, when testing with Office365 accounts purchased via GoDaddy, we encounter a blocking issue that can be outlined in this series of steps:
1. User is sent from our app -> Office365 Login page.
2. User enters email address
3. User is redirected to GoDaddy Office365 login page.
4. User completes authorization, and is redirected back to our app with an access code in the response.
5. App exchanges access code for an access_token and refresh_token from Office365.
6. Some time goes by, and access_token expires
7. App refreshes the user's access_token using the refresh_token
Expected Behaviour
At this point we are expecting to receive a new access_token as well as a new refresh_token, as we do when using a regular Office365 account
Actual Behaviour
Only for accounts purchased via GoDaddy, we do not receive a new refresh token in the response after refreshing for the first time.
Obviously when intending to have a long-running sync, this is a breaking case as the user will no longer be able to have their tokens refreshed beyond this point.
Postman traces (can save as .json and import to Postman for debugging
https://gist.github.com/drunkel/7ec66ed33f66d0070148694651699d03 (IDs and secrets have been removed)
Question:
Is this a known issue?
Is there a workaround?
I am a Software Engineer at GoDaddy and can confirm that this issue has been resolved. The reason for more frequent login requests under Modern Authentication is that as these are federated users and as you mentioned in your question, the refresh token was not being returned. This was caused by the StsRefreshTokensValidFrom attribute on the AAD user not being updated properly.
Every provider can decide how to implement its own oAuth server with certain policies on how to act with certain grant type and policies about granting/revoking refresh tokens/id tokens/access token and their lifetime properties.
This is a known issue with go daddy when purchasing office 365 accounts. see here and also here and here.
So it seems like GoDaddy decided to implement their OAuth server with a restricted security policy about refresh tokens by not enabling and not sending back a refresh token to the API calling the OAuth authentication and authorization when you purchase office 365 accounts through GoDaddy.
This is security enhancement/block to disable your application not to hold a lifetime refresh token that can be lived forever (if refreshed) to these office 365 accounts purchased on Godaddy
Usually, OAuth servers implemented with integration with Azure Active directory have the following token lifetime (but you can change and decide to override configure them differently 3rd party implement their own server with their own policies about tokens)
Another important featurw which Go Daddy does not support multi-factor authentication(mfa) for office 365 accounts found here.
Azure lifetime policies:
Azure Active Directory Configurable token lifetime properties
Another important issue is that if you want to be able to continue to refresh the token while the user is offline you must ask the user for access_type="offline", so during a time of inactivity from the user, you can continue to refresh the token and to hold long lifetime token for the account.
If the user decides to revoke the token for any reason - the token immediately expires.
Another issue in the steps you described is:
User is sent from our app -> Office365 Login page.
User enters email address
The user is redirected to GoDaddy Office365 login page.
so now the refresh token for office 365 flow from server to the hands of Godday servers.
User completes authorization and is redirected back to our app with an access code in the response. (but without the refresh token obtained the in the last server to server step. Godaddy to keep security on behalf of 365 accounts keeps it to itself and not returning it to the end user.
The app exchanges access code for an access_token and refresh_token from Office365. 6. Some time goes by, and access_token expires 7. App refreshes the user's access_token using the refresh_token
I am using passport-facebook to obtain an access token. According to here
https://developers.facebook.com/docs/marketing-apis#access-token
under "Get Access Token", I should be getting a 60 day long-lived token. This is the case if the scope is only ads_read. However, when I add additional scopes of manage_pages and read_insights, there is no expiration when I check via the Graph API.
This seems to be a bit contradictory to me. My theory is based on the getting an API key with ads_read permission manually from the below tool.
https://developers.facebook.com/apps//marketing-api/tools/
Using this tool and debugging it via the Graph API, I see one difference in that it the manually generated access token has the "Page" row under it, indicating that it is a page access token (to my own pages). Since it is a PAT, it will never expire, as expected.
My passport-facebook generated access token has the ads_read, manage_pages, read_insights permission as well and the expiration says "Never Expires". However, it does not have the Page row on it. Does that mean I can still use it forever to query the ads insights API?
This is my attempt at obtaining a non-expiring Marketing API access token.
Yes, if the expiration row says Never expires, you can continue to use the token for querying ads insights.
On a side note, is you generate system user access tokens, they also never expire. You can read more about it here - https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/v2.8
I am posting this here, as Docusign has requested all docusign api questions be placed on StackOverflow:
REFERENCE
I have been working on a Docusign application that uses their OAuth flow. In order to test this, I have been using my free account (www.docusign.com) to get access tokens from the application I created on my developer account (demo.docusign.net).
The integrator key I am using is live.
In the process of my testing, I have obtained an access token 10 times using the free account. I did not keep track of those tokens as it states that they can be revoked in the web console. Docusign Reference
However, there is no such section in the www.docusign.com account. All it shows is 5 other accounts that I can connect to.
I now have lost all 10 of those tokens, and the response from the service tells me that I reached the maximum number of access tokens.
Now here's the interesting part, if I use my developer account credentials to authenticate to my application, I can see the access tokens that are active, with the option to revoke.
I know that there is a revoke token endpoint, but you need to know the token in order to use it.
How can I revoke these 10 tokens as I no longer know what they are (due to testing), and there is no interface to revoke them on www.docusign.com? Essentially, this account is now locked out of my application.
I cannot add screenshots to this post as I do not have high enough reputation
I have using docusign node module for using embedded signing flow. Things have been working fine but suddenly we have started seeing errors such as access token limit exceeded.
Here is the error
Description: Maximum number of access tokens exceeded.
at /Users/amitagwl/Projects/Personal/support.birdeye.com/node_modules/docusign-node/components/auth.js:105:17
Questions:
In quick look up I found that production accounts have 10 as token limit. Why is that ? If I have exceeded the limit, does it mean I can't use my account any more ?
Can I reuse existing token ? How do I see my previously created token ?
Each application is allowed 10 tokens per authenticated user. In other words your app can connect to a user's account only 10 times. The tokens can (and should) be reused. Typical apps will require only one token for each user - or one token for each account of Send-On-Behalf-Of is used.
In general you should authenticate once, get the token, store that token, and use it for future access to that user's account. The user may revoke that token at any time so your app should prompt for authentication if necessary.
I got the answer. Tokens can be revoked under "connected apps". (Classic experience only).