I'm currently using OAuth 2.0 to access the Google API. From my understanding, I should use the returned refresh token to renew the access token. Should this be refreshed before it expires or should it be when the user requests data from the api using an access token that has expired?
If it should be done before it expires, should I just be running a cron job to update out of date tokens?
I'm using node.js and mongodb, if that has any bearing on the recommended solution.
Thanks a lot!
It should be seamless.
When the user requests data from the API using an access token that has expired, this should trigger your framework to fail, renew, then retry.
No need for any cron jobs or stuff like that in the apps i've created.
Related
I have a multitenant web api project with microsoft azure integration. I connect to microsoft, get access token and refresh token and each time before access token expiration, I call api
POST https://login.microsoftonline.com/tenant/oauth2/v2.0/token
data in request is:
grant_type=refresh_token
refresh_token=xxxxxxxxxxx
client_id=xxxxxxxxxx
I get new access token and refresh token, and after an hour get new access token with the same api and last recieved refresh token. But after 24 hours somehow my refresh token expires, and I need to reconnect and enter my credentials again.
How to make my refresh token don't expire until i revoke it manually. I need somehow update refresh token timeout in background and save my integration always connected until i revoke it manually.
I need somehow organize this to stay connected always until manual revocation. Any solution?
There is a 24 hour limit to refresh tokens under certain conditions:
Refresh tokens sent to a redirect URI registered as spa expire after
24 hours. Additional refresh tokens acquired using the initial refresh
token carry over that expiration time, so apps must be prepared to
rerun the authorization code flow using an interactive authentication
to get a new refresh token every 24 hours. Users don't have to enter
their credentials and usually don't even see any related user
experience, just a reload of your application. The browser must visit
the log-in page in a top-level frame to show the login session. This
is due to privacy features in browsers that block third party cookies.
See: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
On my localhost, I have authenticated my user and goten a Refresh Token and Access Token using Passportjs.
I am using Google's Official Node.js library to get the Google Analytics data and it all seems to work fine.
On this GitHub issue, Justin clearly mentions that the expiry is set by Google's APIs.
How long is the refresh_token valid and at what time do i have to authorize myself again?
This is more of an Oauth2 question then a Google Analytics question.
Access tokens on google servers are good for one hour.
The refresh token does not expire and you can use it as many times as you want to request a new access token.
You should still handle invalid refresh tokens in your code. The user can revoke your access via there Google account. You can have max 50 out standing refresh tokens before the first one starts working. If i authenticate your application you will be given a refresh token if i do it again you get another refresh token there can be max 50 of them outstanding.
If the refresh token does become invalid you should just request authentication from your user again. The library you are using should be handling refreshing the access token for you.
I setup a new key for Public API access for a server application under my the APIs & auth > Credentials screen on the Google Developers Console.
Doing a YouTube data api request just stopped working and as a last ditch effort I regenerated the key. Now I'm seeing that the status row now states that it will be active until 1 day in the future. Why? I want this key to be active forever.
Is this Google's way of forcing me to use oAuth on a server app?
When using OAuth 2.0 you'll go through the OAuth flow and end up with an Access token and a Refresh token.
The Access token is short-lived and will expire relatively quickly. The Refresh token is long-lived and might expire in a year, or maybe never.
You can Refresh your Access token and use the new token that you receive:
Check here for documentation
there seems to be some conflicting advice on how to get an access token from a refresh token:
This SO answer says passportjs doesn't get involved with refreshing the access token and it should be done via cron job:
Refresh token in Passport.js
This SO answer says "No need for any cron jobs...when the user requests data from the API using an access token that has expired, this should trigger your framework to fail, renew, then retry."
OAuth 2.0 - When should an access token be renewed with refresh token?
What's the simplest way to ensure we're always giving Google a valid access token? Right now, we're just storing the refresh token in the database and never using it, which forces users through the "allow / deny permissions" flow every time their access token expires.
There are a few approaches. One is to just detect when the access token fails (with 401 I believe) and then refresh it and re-use it. However, most of the APIs that yield access tokens also tell you their expiry time, so you can just remember that and, when you’re about to use, if it’s less than say 10 min before expiry time, refresh then. If all else fails you could use the tokeninfo endpoint when you get a new access token, to find out its lifetime.
I'm playing around with the api of a service that supports oauth. I managed to retrieve the access_token from the service and I'm now able to call the various endpoints of the api. So far so good.
Now my question is: How long do I hold on to this access_token I received. Is this a token I keep forever, or does this expire after some time? I'm working on a desktop app, so I a have two options:
I request a new token every time the application is opened
I store the token somewhere and re-use it
What are the best practices around the storage of this token?
Usually the Access Token is stored across sessions. There is an expiration (with OAuth 2.0), but the Refresh Token is then used to retrieve a new Access Token. If you don't store the tokens, then you would need to have the end user re-authorize everytime they want to use your application (which is probably not the experience you are looking for).