I’m in the early stages of learning front end development. I have an idea for a project that will interstate the Spotify api but the Spotify access tokens only last for one hour. I wanted to know is there a way I can circumvent this and avoid having to update the token every time I want to use the api. I am aware of the authorization flow but I’m having trouble understanding how to follow it in order to get a refresh token.
I only need to make 2 GET request for getting a track ID then to get the song from that ID
As stated in the official API documentation, an access token lasts one hour but can be refreshed using a refresh token. By using a refresh token you can get a new access token that will be valid for another hour.
Docs: Spotify guides: token swap and refresh
Related
I've been using the Google API to update one of my Chrome plugins on a weekly basis. This has now happened 3 or 4 times now: The refresh token I acquire will work properly for up to two weeks (only being used once per week), then the third week, returning an error saying that my token has been expired or revoked.
Given that I'm the only user with access to these tokens, I know that there isn't any spamming, and I know that nobody would be authorized to revoke the tokens on my end.
Please advise. Thanks!
There are serval reasons why an access token can expire.
the user revoked your access.
depending upon which scope you are using if the user changes their password it can revoke all out standing refresh tokens (mostly gmail I think)
If your application is still in testing phase refresh tokens only last for two weeks you will need to move your application to production and go though the verification process. (this appears to have been a stealth change i can find no information on it)
you can have a max of 50 outstanding refresh tokens for a users account, if the user is logging in multiple times and you get a new refresh token each time make sure you are always using the newest.
Your application should always be set to request access of the user again in the event that the refresh token has expired.
I have recently worked with Google Ads API and Shopping Content API and experienced detailed behaviour of API authentication mechanics.
What i can tell for sure regarding authentication is the the following:
An Access-Token always have a life time of 60min. and then expires
An refresh-Token makes it easier to obtain a new Access-Token, since
no additional verification is needed
The lifetime of a Refresh-Token varies
it can be a 6 month or more (when the related application publishing status is released)
or just 1 week (when the related application publishing status is testing)
You can find detailed information regarding Token Expiration on the Google API Documentation https://developers.google.com/identity/protocols/oauth2#expiration
Also information regarding publishing status of your API application Token has expired or revoked - Google Ads
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
We are using the following method to generate a token to be used to make calls to the Yammer data export and REST apis. https://developer.yammer.com/introduction/
The token looks to be working for the most part, but it will expire ever 2 weeks for some Yammer instances. However, according to the documentation, I thought that the tokens generated in this way are not supposed to expire.
Are there any specific reason why tokens would be expiring every 2 weeks? I know that the user is not being deleted or deactivated.
Thanks!
The access tokens are long lived and I have being using mine for about 4 months now. You want to double check to ensure that the user did not revoke the app's access from the "My Applications" page.
Background
I'm working on an app that will run on a device which does not contain a browser, but I want to get the users google tasks through the google api.
Because of the lack of browser, they can't authenticate on the device, so I have it set up in such a way that they visit a website and authenticate there, then the device makes http requests to the website to get the data it needs.
Problem
Once I got everything working this system works out OK, the problem is it only works for a day or so before the user has to visit the website again to refresh their access token.
It would be great if the user could be authenticated for very long periods of time, or even forever (not sure if that's possible or secure). Can I get some suggestions on what people think is the best way to accomplish this kind of long term athentication?
Refresh tokens?
I've heard there is a way to store the user's refresh token in a database and somehow use that to refresh their access token. If this sounds like a good way, can anyone point me in the direction of an example to get this to work?
I've been using the google api client library for ruby
Thanks a lot!
You're on the right track with the refresh tokens. I can't help too much with the Ruby API, and honestly I just did this calling the REST api directly, but this doc should help you understand the actual calls you need to make.
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Note that for a lot of their examples you need to remove the newlines for them to work.
Basically like you said, you need to send the user to https://accounts.google.com/o/oauth2/auth with the access-type=offline parameter for them to give consent. This comes back with an authorization code, which you send to /o/oauth2/token. This comes back with an access token and a refresh token. You can use the access token immediately, and you store the refresh token, which never expires. When the access token expires you send the refresh token to /o/oauth2/token (note that the grant_type changes to refresh_token) to get a new access token.
Is there a way to change the validity period of a refresh token within Windows Azure Access Control Service. Based on the following article, refresh tokens last a year but I cannot find a way to change that, either on the portal or via the management service. I am aware of the token time out when crating a relying party application but this, as I understand it, refers to the time out of the access token not the refresh token.
Any help would be greatly appreciated.
Many Thanks,
User1426145
With OAuth 2.0, the refresh token has expiration time sent along with it and as you described in case of above the limit is about ONE year. You can not change the refresh token validity period once it is issued so you have two option to maintain it alive. Trying to keep track of its validity or when you hit INVALID_TOKEN error, you can to call the same refresh token service to receive a brand new refresh token again.