Google API access token meaning - google-api

Somebody has created a system which use Google API. It happens that I have been using this system for several months to upload files to G Drive and it worked very well.
However today I realized in the following string that there was an expiry date (not updated until today) which prevent from uploading files. My understanding is that a token is generated every time my code is requesting API access, but this shows the same access_token and refresh token with expiry date. I tried to read official doc without clear understanding. Can you explain simply what I should think about it and hint at how I should re generate the needed token please.
{"access_token": "xxx", "client_id": "yyy", "client_secret": "nnn", "refresh_token": "bbb", "token_expiry": "2021-02-24T05:33:24Z", "token_uri": "https://accounts.google.com/o/oauth2/token", "user_agent": null, "revoke_uri": "https://oauth2.googleapis.com/revoke", "id_token": null, "id_token_jwt": null, "token_response": {"access_token": "xxx", "expires_in": 3599, "scope": "https://www.googleapis.com/auth/drive", "token_type": "Bearer"}, "scopes": ["https://www.googleapis.com/auth/drive"], "token_info_uri": "https://oauth2.googleapis.com/tokeninfo", "invalid": true, "_class": "OAuth2Credentials", "_module": "oauth2client.client"}

How much i understood it is that as we need multiple parameters to access a Google API which include authentication etc. As there are multiple steps to validate an API call, if they succeed, we are provided with an access_token which now represents that all the processes (or authentication etc) was successfull and now the access_token is a proof for that. So after that, only the token will be checked (until its expiry date) and the process will repeat after the expiration.
The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested. Google handles the user authentication, session selection, and user consent. The result is an authorization code, which the application can exchange for an access token and a refresh token.
The application should store the refresh token for future use and use the access token to access a Google API. Once the access token expires, the application uses the refresh token to obtain a new one.
More details Here

Related

storing AuthorizationCodeCredential in web app session

I am using the azure-identity library to authenticate users for accessing the Microsoft Graph API in my Spring Boot web application.
After getting the successfully getting the code via auth code grant redirect I want to store the access token and refresh token in the the web application session so that the user does not have to re-authenticate for doing multiple requests to the Microsoft Graph API.
How can I get hold of the tokens for storing them in the session?
The Authorization Code is a single-user code used to obtain an actual Access Token. You'll need to redeem that code for an access_token as described in Microsoft identity platform and OAuth 2.0 authorization code flow.
The response body that contains the access_token will also include a refresh_token value:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
}
The way to do this was to create a class that implements OAuth2AuthorizedClientService that stores and loads the OAuth credentials in the database.

redirect_uri_mismatch the redirect URI in the request does not match the ones authorized for the OAuth client

I have following client secret
{
"web": {
"client_id": "testid",
"project_id": "testproj",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://www.googleapis.com/oauth2/v3/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "test-sec",
"redirect_uris": [
"https://localhost:8080/oauth2callback"
]
}
}
and I am getting
"Error: redirect_uri_mismatch
The redirect URI in the request, http://127.0.0.1:8414/authorize/, does not match the ones authorized for the OAuth client.
To update the authorized redirect URIs, visit:". Could you please suggest, how to fix it.
I am using C#. I have created credentials with this -
GoogleWebAuthorizationBroker.AuthorizeAsync( GoogleClientSecrets.Load(stream).Secrets, scopes,
"user",
CancellationToken.None,
new FileDataStore(Directory.GetCurrentDirectory() + "\\AccessToken\\" ,
true)).Result;
But for first time , it popped up with login and once I logged in , it has created Google.Apis.Auth.OAuth2.Responses.TokenResponse-user file in the folder. Is there a way to bypass first time login ?
Thanks.
When you are creating your credentials in https://console.developers.google.com:
After cliking on Create credentials by choosing OAuth client ID:
Choose Other as Aplication type:
.
You should have this format of credentials:
{
"installed": {
"client_id": "...",
"project_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "...",
"redirect_uris": [
"urn:ietf:wg:oauth:2.0:oob",
"http://localhost"
]
}
}
Now your OAuth2 link should works whatever your port in redirection_uri paramater as http://localhost:8414 for example (with 8414 as random port). And you are no more this error:
Error: redirect_uri_mismatch The redirect URI in the request, http://localhost:8414/authorize/, does not match the ones authorized for the OAuth client.
I just ignored the port in the error message when adding as an Authorized redirect URL.
http://127.0.0.1/authorize/
The redirect uri is the URL where you want Google to return the authencation to. This should be the file that you have set up to handle the Oauth response.
When you created your project in Google Developer console you should have supplied a redirect uri to google that states where you will be sending from and where you would like the response to be returned to.
"Error: redirect_uri_mismatch The redirect URI in the request, http://127.0.0.1:8414/authorize/, does not match the ones authorized for the OAuth client.
means that you are sending from http://127.0.0.1:8414/authorize/ however this is not one of the redirect uris that you have added in Google developer console. Go back to the developer console and add this http://127.0.0.1:8414/authorize/ or http://localhost:8414/authorize/ you may or may not need the ending / as well
Bypass Login
What you need to understand is that most of Googles api data is private user data. In order to access private user data you must have the consent of the user who owns that. We use Oauth2 to request from the user consent for our application to access their data. There is no way to by pass an oauth2 consent.
Unfortunately there is no other way to access the YouTube api. If you want to access private user data you will always have to ask the user for consent at least once and then save the credentials as you are doing now using file data store.
If you're using container apps or web apps contained over Linux, refer this answer. It could be caused by authentication redirecting to provider handle that's not served over HTTPS. See the error for redirect_uri and if the link is over http, follow the same.

(Rocket.Chat) Never expire auth token

I am trying to reuse the same authToken generated by Rocket.Chat login API.
{
"status": "success",
"data": {
"authToken": "9HqLlyZOugoStsXCUfD_0YdwnNnunAJF8V47U3QHXSq",
"userId": "aobEdbYhXfu5hkeqG"
}
}
The developer guide says:
As the token expires, you have to call the login method again in order to obtain a new token with a new expiration date. You don’t have to wait until the token is expired before asking for a new token. (Link Here)
But it does not mention about the expiration date configuration. Is there some way to set unlimited expiration to the authToken?
Disclaimer: I am an employee of Rocket.Chat and I do maintain the REST API code.
That piece of documentation is incorrect and I will be submitting a pull request to resolve that. Currently the authentication tokens obtained via the Rocket.Chat REST API have no expiration date.
As of right now, there are two ways of revoking an authentication token. First is to call the api/v1/logout endpoint and the other is go into Rocket.Chat under your account and profile then clicking the button labeled "Log out from other logged in locations".

Retrieving the Google API granted scopes for a client

We're using the hybrid auth flow, such that the client is requested for incremental grants via JS and the resulting code is passed up to our API server for processing.
What we need is one of:
Which scopes are available to a user, either via refresh token or access token
A way to include the current scopes in the $client->authenticate($code) response (so we can store them with the refresh token)
A way to determine which scope was just granted in the response from Google to $client->authenticate($code) (so we can append it to a stored list for that user)
We would like to present a list on the integrations page for the user to opt in to each feature (calendar, contacts, drive) and present a clear list of which features are enabled, in addition to prompting if they access a not-yet authorized feature. Even aside from that, I can't believe this isn't "a thing."
Was in the same position as you...If you hit: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=
it will return a JSON response which has a "scope" parameter, which is a space-separated list of all granted scopes for the access token.
While I realize this is somewhat old now, for those finding this via Google from here on, it's probably worth noting that the access token bundle, as received back from, for example, PHP client library method $client->fetchAccessTokenWithAuthCode($_GET['code']), actually contains a list of the active scopes, with key "scope". You should be able to parse that without any need for further API calls.
Here's an example of what my access token bundle looks like:
{
"access_token": "xxxxxxxxxxx",
"expires_in": 3600,
"refresh_token": "xxxxxxxxxxxx...... ",
"scope": "https:\/\/www.googleapis.com\/auth\/userinfo.profile openid https:\/\/www.googleapis.com\/auth\/userinfo.email",
"token_type": "Bearer",
"id_token": "xxxxxxxxx...... ",
"created": 1576300135
}
Note the "scope" parameter in the above.
This doesn't appear to be documented anywhere.
Like you, some years later, I haven't yet found a client library method that supplies this functionality; and you're right, it seems rather basic (actually, a function to compare two lists of scopes would be ideal, including account for the expansion of 'profile' and 'email' scopes, hint hint Google folks!).
[apologies for switching to PHP for the example, but I suspect the access token bundle format is identical, so a similar approach should be possible]

Laravel 4 + Sentry 2 as Web service

My question is how do I use laravel 4 with sentry 2 to authenticate users that is calling my API? What are the proper ways in doing this?
Example: a user in native iOS app calls my Laravel Web service (returns JSON response), how can laravel+sentry authenticate the user?
Thanks in advance and comment if you need more info.
Like mentioned by Antonio, if the client is able to persist cookies you should be set to go.
But,I will tell you my research on this topic. I looked for API Token Implementation with Laravel. One I could find was by Terry Appleby and his implementation is a composer package with name tappleby/laravel-auth-token. I implemented a much simpler version of the package using Sentry 2 at http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry.
I called it a dirty one because I didn't consider much about security, expiration of tokens etc., but to answer your question, the above version does work and it is not secure unless you are in https environment.
To help you more I suggest github.com/kippt/api-documentation. It is the API Documentation for an app called kippt.com. I picked this one because it is really simple and could be a starting point if you are new to developing APIs. See how they support different kinds of authentication. To summarize on what Kippt supports: Browser Session (I am guessing iOS does support cookies), HTTP Basic Auth (Pass username and password every time in the header) and Token (Pass a token in header of every request). On Token implementation of Kippt, it just returns a token to the client after a successful authentication and one can save and use that token. That token never changes. In my blog post, I create a new token every time user logs in.
Hope I could help.
If the client is able to persist cookies, you just login with Sentry and it should work. Otherwise, after a common Sentry authentication, create and store an authentication token in your users table:
$table->string('api_token',96)->nullable();
Then use it in all other calls:
{
"token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099",
"user": {
"id": "3",
"email": "joe#doe.com",
"permissions": [],
"activated": true,
"activated_at": null,
"last_login": "2014-03-08 11:17:48",
"first_name": null,
"last_name": null,
"created_at": "2014-03-08 10:29:08",
"updated_at": "2014-03-08 11:17:48",
"api_token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099"
}
}
An article about this: http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry

Resources