i am using jwt Authentication in android . i am able to get access token and expire time and using interceptors i am sending in headers . here everything works fine . but when token expires i am not able to handle the case.
i am using single ton retrofit class and i have the refresh token api . but i don't know how to call the refresh token api when the token expires .
i have 2 suggestions
i have to call the refresh token api before the access token expires or else whenever the 401 error occurs it should automatically call the refresh token api
Related
Based on the diagram you can see above (Oauth authrization flow). Reference https://youtu.be/oKzeHshquCs?t=1949
Using user credentials (username, password), we are attempting to
get an authorization code (login).
Authorization code received.
Using the received authorization code we are now requesting an
access token.
When access token is given. This access token will be
now used to access the resource server (as Bearer Token).
I would like to ask how to implement this using API, using the latest implementation of OAuth2. Using custom REST API's on the Authorization Server.
Scenario: using two api's ('/auth/code' then ''auth/token'')
Using user credentials (username, password) the user will request on
api '/auth/code', where authorization_code as the response.
Using the recieved authorization code (from #1), we will request an access
token on '/auth/token'. Access token will be used as bearer token on
the authorization server.
Or if we can do this two step (#1 and #2 above) on one API process (auth/token) would also be great.
Do you have any working project in regards with this?
I have explored the code of Baeldung, but based on this implementation, it is still using the default implementation of spring security. It would be my great pleasure if there are Senpai's out there can help me with this. Thanks :)
There's no such API to get an authorization code directly passing the user credentials. Usually, there would be an API (/as/authorization), which redirects the user to the login page. Once the user enters his credentials, he will be redirected to the target application with the authorization code in code as the query parameter of the URL. (You need to configure your app's URL as a redirect URL or callback URL in the Identity provider)
This code is usually short-lived and can't be used more than a time. (i.e) You can use this code only once to get an access token. When you exchange the code with an access token, you should be seeing refresh_token (if you granted access to refresh_token grant_type in the IdP) as well with which you can request tokens in the future.
You need to configure all these things in an Identity Provider. This could be PingIdentity, Auth0, etc.
Make a call to /as/authorization API
Once user enters his credentials and redirected to the target application, extract the code from the query parameter and make a call to token API (oauth/token) to get access_token and refresh_token
Once the access_token is expired, use the refresh_token to get a new access_token (grant_type should be refresh_token).
Once the refresh_token is expired, you need to again get the authorization_code again with the /as/authorization API.
I'm working with Google Calendar API Java on Server side.
I have a token & refresh token from client side and store it into database.
So How I can instantiate new OAuth 2.0 Credentials using these stored tokens for calling Google Calendar Java API?
Thank in advance.
It's stated in Detecting an expired access token that once a token is detected to be no longer valid (ie. expired or revoked), you must remove the access token from your storage.
Likewise, it is also stated in The OAuth 2.0 Authorization Framework under Refreshing an Access Token that:
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
I am using this url
https://login.salesforce.com/services/oauth2/token?grant_type=password&client_id=""&client_secret=""&username=""&password=""
to get an access token. Can I use that access token in the SDK so that there will be no need to login? I want to develop the application in which I want to use my salesforce credentials.
Yes, you can make use of the access token to login in to the application, but the access token that you have obtained is the short lived one and you have to make use of refresh token to get the new access token once your previous becomes invalid
Reference
https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en
When connecting to the google services from a desktop app user is required to enter access code provided to him to generate accessToken.
I can't quite understand how to properly save it and restore into GoogleCredential so user wouldn't have to authorize my app on every launch.
Can somebody provide me with a code snippet of this process or a more detailed instruction than the one Google provides?
First you have to register your project into the Google Developer console. From the console your will get some credentials like: cliend id, client secrets.
Now when you want to authorize your application u need to get an access token. But before u have to get an "authorization token". For this u need to use an url like this
https://accounts.google.com/o/oauth2/auth?
redirect_uri=yourredirectpage&
response_type=code&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&
approval_prompt=force&access_type=offline
The response of this request contains the authorization token. Now you can exchange the authorization token for the access token with another request:
https://accounts.google.com/o/oauth2/token?
code=4/oIdtdqPBW67CTSpijkm_fbwCqMjF_WJPiSmvsq8zScA.Ilw2ePhp3fQeoiIBeO6P2m_Usz4vlgI&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
client_secret={your_client_secret}&
redirect_uri=yourredirectpage&
grant_type=authorization_code
Where "code" is the authorization_token.
For more details check this: Google Api OAuth
I'm trying to get oAuth working for accessing QuickBooks Online. I have a QuickBooks login/connect button embedded on a page that triggers the whole oAuth process. When it's clicked, a window pops up that is directed towards my apps getRequestToken endpoint. The handler (servlet) issues a request to the QuickBooks oAuth request token API, and it gets back:
Request Token
Request Token Secret
Authorization URL
So I have the response send a redirect to the Authorization URL. The pop up window now displays a QuickBooks login, after which there is a request to authorize my app with the users account. Once that's done, the pop up window is redirected to my apps getAccessToken endpoint (the callback URL that I included when calling the request token API).
From there, I obviously have to send a request to the QuickBooks oAuth access token API to get an access token and access secret, but apparently I need to supply:
Request Token
Request Token Secret
oauth_verifier
The oauth_verifier is provided as a parameter in the callback to my getAccessToken endpoint, as well as an oauth_token, but I don't understand how to get hold of the request token and request token secret from here. Am I supposed to have my getRequestToken endpoint store them somewhere once they're retrieved.
I'd prefer not to, but is this the only way to do it?
Am I supposed to have my getRequestToken endpoint store them somewhere once they're retrieved?
Yes. :-)
Does that answer the question? Yes, you need to temporarily store the request token somewhere while you wait for the user to arrive back on your site.