H ow long does an API token last? I recently had an API token change and was wondering how long do these normally last? I updated my API to the new token but wanted to know how often it changes.
ActiveCollab API don't expire by default. Users can delete them, so make sure that you have a mechanism of detecting when token no longer works.
Related
We know that BOX API v1 can get a permanent auth_token, but BOX API v2 which use Oauthv2 does not, and it only valid for 1hour for the access_token and 14days for the refresh_token(afaik).
I have this application that a single form-owner integrates with BOX.
For example I have a form created that every submission will be uploaded to BOX( of course this will be set up, and it uses BOX API v1 )
Users that will submit the form will use the access_token created by the form owner.
We don't know if what time the next submission is. So by that time, the access_token might get expire or the refresh_token as well.
Can anyone enlighten me, how to refresh the token? on each user submission? or what?
BOX API v1 is no problem here, it works perfectly but because API v1 is going to die on Dec, I have to plan now to convert it to v2, but Box api v2 has a token expiration.
Thanks
I had a similar problem and the solution I got was
To write a schedule task or corn job which will
Always keep the refresh and access token alive
Create a backed task which will run say every
13 th day and use the preexisting refresh token
To get a new refresh token
I went through the Quickstart on how to upload a file to Google Drive (for Android) and everything works fine. However, it isn't clear whether I am responsible for storing tokens and handling exceptions if they expire. Does the SDK code used in the Quickstart handle this for me behind the scenes?:
https://developers.google.com/drive/quickstart-android
If I regularly call this code (taken from the Quickstart):
credential = GoogleAccountCredential.usingOAuth2(this, DriveScopes.DRIVE);
credential.setSelectedAccountName(accountName);
service = getDriveService(credential);
and then call some drive method, will it eventually generate an exception when the token expires or does the SDK code catch this internally and automatically attempt to retrieve a refreshed token?
To be even more specific, am I required to implement the code shown here:
https://developers.google.com/drive/credentials
What also isn't clear to me is the difference between an access token and refresh token. Then there is "short lived" tokens and "long lived" tokens. Kind of confusing.
On Android, when you use Google Play Services, all of the work is handled for you, including getting the token and refreshing it. This is explained in the quickstart guide that you have linked, and there is nothing more that you need to do.
I'm developing a google connector (for google search appliance), and I need to do the authentication to box.com but without having to do the login, and allow pages. Perhaps is a duplicate to: Box API Login issue
There is a way to achieve this. You will have to retrieve your token using the OAuth2 flow the first time. Then you will need to store the access token in your database along with it's refresh token. The Access token expires in 1 hour. The refresh token expires in 14 days. You can use the refresh token to get a new access token every time you need to make a request bypassing the user authentication flow. You will just need to make sure, your refresh token is used within 14 days. You are better off setting a cron that refreshes your tokens.
I've built this in my application so just build this out and your app will work well.
I hope this helps.
The Box API is currently only accessible after authenticating a user through OAuth 2
Is it possible to get an existing token for a user using the "/tokens" resource?
Currently, if a token exists, a 409 is returned by the POST:
Request:
POST https://api.box.com/2.0/tokens
Body: {"email":"some-email-a-token-exist-for#email.com"}
Response:
{"type":"error","status":409,"code":"conflict","help_url":"http://developers.box.com/docs/#errors","message":"Token already exists","request_id":"1568559050e4a10f78f66"}
What I'd like to be able to do is make a GET request to retrieve the existing token.
Just so you know, the /tokens endpoint is still in Beta. Even though Box released the rest of the V2 API as GA in December, that endpoint is still being worked on. We're working with a few developers to make sure we get the "instant access" mechanism easily useable, but also secure.
Let us know at api (at) box.com if you'd like to be on our /tokens advisory group.
I'm playing around with AppScript and try to get an oAuth 2.0 access token.
Any sample out there how to get this working in AppScript?
I am working on a cleaner tutorialized version of this, but here is a simple Gist that should give you some sample code on how things would work -
https://gist.github.com/4079885
It still lacks logout, error handling and the refresh_token capability, but at least you should be able to log in and call a oAuth 2 protected Google API (in this case its a profile API).
You can see it in action here -
https://script.google.com/macros/s/AKfycby3gHf7vlIsfOOa9C27z9kVE79DybcuJHtEnNZqT5G8LumszQG3/exec
The key is to use oAuth 2 Web Server flow. Take a look at getAndStoreAccessToken function in the gist to get the key details.
I hope to have this published in the next few weeks but hopefully this will help in the mean time.
UPDATE - adding in info on redirect_uri
The client secret is tied to specific redirect URIs that the authorization code is returned to.
You need to set that at - https://code.google.com/apis/console/
The highlighted URI needs to match the published URI (ends in /exec). You get the published URI from the script editor under Publish -> Deploy as web app. Make sure you are saving new versions and publishing the new versions when you make changes (the published URI stays the same).
I've modified the example above to use the newish state token API and the CacheService instead of UserProperties, which is now deprecated. Using the state token API seems to make things a little more secure, as the callback url will stop accepting a state token after a timeout.
The same caveats apply. Your redirect URIs have to be added to your (script) project in the developer's console, meanwhile you have to yank the CLIENT_SECRET and CLIENT_ID from the console and paste them in. If you're working within a domain, there don't seem to be any guarantees on what URL will be returned by ScriptApp.getService().getUrl(), so I wound up basically having it get the address dynamically, then waiting for to fail on the the (second) redirect, and then hard-coded the resulting URI.
https://gist.github.com/mclaughta/2f4af6f14d6aeadb7611
Note that you can build an OAuth2 flow using this new API, but it's not a complete sample yet:
https://developers.google.com/apps-script/reference/script/script-app#newStateToken()
In particular, you should not pass 'state' directly to the /usercallback URL yourself, because the OAuth2 service provider is responsible for round-tripping the 'state' parameter. (Instead, you pass 'state' to the auth URL, and the service provider automatically attaches it to the callback URL.)