I'm using Boxr gem
boxr for my autotests I need to do some manipulation with files and I have created developer token and did some things, after some time developer token was expired.
BUT on documentation I saw that I can do refresh token before runing tests.
If you want Boxr to automatically refresh the tokens once the access token becomes invalid you can supply a refresh token, along with your client_id and client_secret, and a block that will get invoked when the refresh occurs.
token_refresh_callback = lambda {|access, refresh, identifier| some_method_that_saves_them(access, refresh)}
client = Boxr::Client.new('zX3UjFwNerOy5PSWc2WI8aJgMHtAjs8T',
refresh_token: 'dvfzfCQoIcRi7r4Yeuar7mZnaghGWexXlX89sBaRy1hS9e5wFroVVOEM6bs0DwPQ',
client_id: 'kplh54vfeagt6jmi4kddg4xdswwvrw8y',
client_secret: 'sOsm9ZZ8L8svwrn9FsdulLQVwDizKueU',
&token_refresh_callback)
The question is: What the method should be for save refresh token? "some_method_that_saves_them"
Related
I have an app that uses the Google Calendar API and I seem to have a corrupt/defunct access token and/or refresh token which is resulting in the following error:
Signet::AuthorizationError
Authorization failed. Server message: { "error": "invalid_grant", "error_description": "Bad Request" }
Code for the authorization:
client_id = Google::Auth::ClientId.new(CLIENT_ID, CLIENT_SECRET)
token_store = EncryptingTokenStore.new(TokenStore.new)
scope = "https://www.googleapis.com/auth/calendar"
authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store, callback_url)
authorizer.get_credentials(CALENDAR_ID)
On investigation the UserRefreshCredentials we get back from authorizer object has an expires_at date in the past (11/01/2021).
I deleted the offending refresh token that we have stored, revoked access via the google account settings, then reauthenticated the user account with the app to reapprove offline access to Google Calendar again. This did not give me a new access and refresh token as expected. The expires_at is still 11/01/2021. We have valid refresh tokens in storage but for some reason Google is still picking up the old details despite that refresh token no longer existing. So I need to find a way to refresh or overwrite the UserRefreshCredentials that the Google API is using.
Other steps I have tried:
I tried to refresh the token from within a production console with some methods that come with the ruby google client gem but this fails with the same invalid_grant/Bad request error that is at the root of this issue.
I also tried to refresh the token with a POST request to the oauth2 endpoint:
https://oauth2.googleapis.com/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&grant_type=refresh_token
but this also fails with the same invalid_grant/Bad request error.
If anyone can shed any light that would be much appreciated.
While Creation of an OAUTH token i came across different methods to create Access Token and Refresh Token, while Access Token has life of 30 mins and Refresh Token has lifespan of 100 days, there is no way to regenerate refresh token without providing credentials again i.e Username and Password.
Is there any way to regenerate refresh token without using credentials?
below are the attached resources the i read:
OAuth 2.0 with Service Now
Below are the steps we can generate access_token and refresh_token
https://developer.servicenow.com/blog.do?p=/post/inbound-oauth-auth-code-grant-flow-part-1/
create an endpoint for client access
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/task/t_CreateEndpointforExternalClients.html
Request parameters to get access_token and refresh_token
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/r_OAuthAPIRequestParameters.html
these are the response we are getting
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/r_OAuthAPIResponseParameters.html
There is not concept of regenerate token we can only do it buy increasing the token expiration time.
I believe you do not need username and password, just client ID and client secret is req'd to get the new access token
enter image description here
I am trying to get refresh token when authorizing the user.
This is the url that is being used for authorization.
request
https://...../oauth2/authorize?response_type=token&client_id=test-client&scope=all&redirect_uri=https%3A%2F%2Flocalhost:7002%2F...%2Foauth
redirect url with token and etc :
https://localhost:7002/..../oauth#access_token=b3961289-713c-41c9-9341-253286cbcc52&token_type=bearer&expires_in=300&scope=all
but there isn't any refresh token with this. I tried this with token endpont and it has the refresh token like this
request
curl --data 'grant_type=password&username=....&password=...' --basic --user 'test-client:client-secret' 'https://....../oauth2/token'
response
{
"scope":"all",
"access_token":"5a90edb7-5ded-451a-9d9b-d3bd879ac336",
"token_type":"bearer",
"expires_in":300,
"refresh_token":"ec0c94db-5e81-4229-a815-9c2d80086995"
}
Is there anyway that I can get refresh token in authorization endpoint. ? Or
can I use existing token to get refresh token ?
This got to long for a comment
It kind of depends upon the authentication server how it works. Some servers only return a refresh token the first time the user authenticates.
To get a Refresh Token, you must include the offline_access scope when you initiate an authentication request through the authorize endpoint.
For example, if you are using Authorization Code Grant, the authentication request would look like the following:
https://__AUTH0_NAMESPACE__/authorize?
audience={API_AUDIENCE}&
scope=offline_access&
response_type=code&
client_id=__AUTH0_CLIENT_ID__&
redirect_uri=__AUTH0_CALLBACK__&
state={OPAQUE_VALUE}
This is the only way to obtain a refresh token so no you cant use another token to request get a refresh token.
Implicit client
In the implicit grant flow, the client is requesting access to a resource by way of a "User Agent", aka browser with the user sitting there. So a client wants to grab something, but needs the user to enter permissions for it. If the authentication server provided a refresh token, then the client could skip asking the user for permission in the future and grant itself access forever (essentially refreshing its token whenever it wants without user permission). This is forbidden in the flow because the "untrusted" client should only have access by way of having the user enter their credentials (thus only when the resource owner allows it).
You can't get a refresh token when using the Implicit grant.
I presume your application is a Single Page App? i.e. html/JavaScript running in a user's browser. This is the main use case for the Implicit grant nowadays.
If it's not a SPA (e.g. native, mobile or web application) you should be able to use a different grant type which will give you a refresh token. e.g. Authorisation Code Grant or Authorisation Code with PKCE Grant.
I am using laravel/passport password_grant for authentication. The whole generating access_token and refresh_token process is working fine. Now I am trying to use laravel passport token events to revoke old tokens.
I referred to this post for the process -
https://laracasts.com/discuss/channels/laravel/laravel-passport-revoke-and-prune-event-listener-is-not-doing-anything
This works... But when refreshing an access token using the previously provided refresh token, a new access token is being created and also a new refresh token being is created. Eventually, while revoking the old access token, the old, not expired refresh token also gets revoked.
But I think, the refresh token must be revoked only when it has expired.
And also when I remove the EventListeners from the App\Providers\EventServiceProvider $listen array, the revoking mechanism still works.
It's like even pulling out the plug the light bulb is still on.
How to solve this issue? Or am I wrong with the concept somewhere?
But when refreshing an access token using the previously provided refresh token, a new access token is being created and also a new refresh token being is created.
That's basically what makes refresh tokens prevent MITM attacks (to some extent). If someone intercepts your communication and finds your access token, they can impersonate you for as long as it lives. But if they intercept your request to refreshing your tokens, only one of you (the user and the attacker) can use it because it's revoked once used. If you get to use it first, it becomes useless to them. If they use it first, you'll be logged out because your old tokens will be revoked. If they can intercept all your requests - and keep finding your new access tokens, you need to reconsider your security setup.
From RFC6749 section 1.5. Refresh Token under Figure 2: Refreshing an Expired Access Token:
(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issues a new access token (and,
optionally, a new refresh token).
I have an issue with Google plus access token. It is giving me "Invalid Credentials" error message sometimes, sometimes the same token show as active.
Following are the steps
The user confirms permission to access Google account with selected scopes.
The refresh token and access token is retrieved and saved to long time storage.
Used to refresh the token when ever needed by using stored refresh token
But sometimes I've experienced strange behaviour:
Requests to Google APIs return Invalid Credentials (401) error. Refreshing the access token (using the stored refresh token) does not work.
Access token refresh method
Using googleapis npm module to refresh token
https://www.npmjs.com/package/googleapis
oauth2Client.refreshAccessToken(function (err, tokens) {
if (err) {
console.log('error', err);
}
console.log('access tokens', tokens.access_token); // Access token
console.log('refresh tokens', tokens.refresh_token); // Refresh token
});
Questions:
What can be the reason for this behaviour?
Does this behaviour related to with any google api rate limit? because the same token works sometimes and not other-times.
Is there a way to validate the refresh token?
Every time you refresh your access token using refresh token, you will given by new access token.The refresh token has no expiry. You can use the refresh token as many as possible for refreshing the access token