We are using the following method to generate a token to be used to make calls to the Yammer data export and REST apis. https://developer.yammer.com/introduction/
The token looks to be working for the most part, but it will expire ever 2 weeks for some Yammer instances. However, according to the documentation, I thought that the tokens generated in this way are not supposed to expire.
Are there any specific reason why tokens would be expiring every 2 weeks? I know that the user is not being deleted or deactivated.
Thanks!
The access tokens are long lived and I have being using mine for about 4 months now. You want to double check to ensure that the user did not revoke the app's access from the "My Applications" page.
Related
I’m in the early stages of learning front end development. I have an idea for a project that will interstate the Spotify api but the Spotify access tokens only last for one hour. I wanted to know is there a way I can circumvent this and avoid having to update the token every time I want to use the api. I am aware of the authorization flow but I’m having trouble understanding how to follow it in order to get a refresh token.
I only need to make 2 GET request for getting a track ID then to get the song from that ID
As stated in the official API documentation, an access token lasts one hour but can be refreshed using a refresh token. By using a refresh token you can get a new access token that will be valid for another hour.
Docs: Spotify guides: token swap and refresh
I've been using the Google API to update one of my Chrome plugins on a weekly basis. This has now happened 3 or 4 times now: The refresh token I acquire will work properly for up to two weeks (only being used once per week), then the third week, returning an error saying that my token has been expired or revoked.
Given that I'm the only user with access to these tokens, I know that there isn't any spamming, and I know that nobody would be authorized to revoke the tokens on my end.
Please advise. Thanks!
There are serval reasons why an access token can expire.
the user revoked your access.
depending upon which scope you are using if the user changes their password it can revoke all out standing refresh tokens (mostly gmail I think)
If your application is still in testing phase refresh tokens only last for two weeks you will need to move your application to production and go though the verification process. (this appears to have been a stealth change i can find no information on it)
you can have a max of 50 outstanding refresh tokens for a users account, if the user is logging in multiple times and you get a new refresh token each time make sure you are always using the newest.
Your application should always be set to request access of the user again in the event that the refresh token has expired.
I have recently worked with Google Ads API and Shopping Content API and experienced detailed behaviour of API authentication mechanics.
What i can tell for sure regarding authentication is the the following:
An Access-Token always have a life time of 60min. and then expires
An refresh-Token makes it easier to obtain a new Access-Token, since
no additional verification is needed
The lifetime of a Refresh-Token varies
it can be a 6 month or more (when the related application publishing status is released)
or just 1 week (when the related application publishing status is testing)
You can find detailed information regarding Token Expiration on the Google API Documentation https://developers.google.com/identity/protocols/oauth2#expiration
Also information regarding publishing status of your API application Token has expired or revoked - Google Ads
My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.
I am using gapi.auth2.authorize to authorize people in my Google Photos API app but I cannont find a why to unauthorize or disconnect them from the app. What I have noticed though is that there is no way of using an old access token so that the user doesn't need to authorize.
How can I make the access token invalid?
Is it correct that every time the API is used the user has to authorize?
Thanks
How can I make the access token invalid?
Not possible to invalidate an access token, it will expire after 1h
You can check documenttation here
Is it correct that every time the API is used the user has to authorize?
Nope, you should ask users to authorize only once, using a refresh token that you can keep in your back-end, thus allowing your app to content on on users behalf all the time, until they revoke permissions
I have started building a C# asp.net website that will have the ability to post directly into Yammer (we have Yammer Enterprise). I have used the REST api to create a post and have also been able to create in impersonation token to post on behalf of other users. It works fine, but reading the documentation, the tokens seem to have an indefinite lifetime. Forgive me is this is a stupid question, but is there an expectation that as a developer, I should store the token locally (eg in a SQL table) and reuse local version for future API calls?
If the API call fails, then I assume I regenerate the token and re-store for future use?
Thanks
Andy
Yes, these tokens don't expire until an account is suspended or deleted in Yammer, or the user manually revokes the app. Until that changes you need to be very careful with handling these tokens. Applying encryption, permissions, and other techniques to secure your app is the best way to protect them.
You might also consider storing the time when the token was acquired or last used. Then delete the token after a period if it hasn't been used. That will protect the user.
In your UI make it clear what your app does with Yammer so that users authorizing it are aware of what they are opting into.