I am trying to implement OAuth2 for a REST API which will support mobile, desktop and web apps.
I have read Chapter 6. Refreshing an Access Token of Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012
According to RFC, access tokens and refresh tokens are saved into DB and I am doing so using MySQL.
My question is at which point/activity of OAuth2 should I remove all expired access tokens and refresh tokens.
Should I run cron job for that?
I have to read about it though seems difficult to me
Verify that the MySQL Event Scheduler is enabled on the server. If not, enable it.
Assuming the table is called "token" and it has a column called "expires_at" and that column has an index on it, and then create a scheduled event with a query like this:
CREATE EVENT purge_expired_tokens
ON SCHEDULE EVERY 15 MINUTE
DO DELETE FROM token WHERE expires_at < NOW();
Every 15 minutes from the time you originally defined the event, the server will run that query in the background and purge any expired sessions.
Yes, you should periodically run a program that deletes expired access tokens, refresh tokens and authorization codes.
Related
In my app, I allow my users to authenticate with their existing google, microsoft, etc accounts via OAuth2.
Everything runs smoothly. Upon getting callback to local redirect url, I successfully request and receive bearer token from endpoint. With access token in hand, I then request UserInfo from user info endpoint. I then compare email address in UserInfo JSON object with the email address registered in user record and if they match, I consider user signed in.
Now, my question is regarding bearer token and session timeouts.
Google bearer token looks like it authorizes for 60 minutes; while my server session lasts 30 minutes (I haven't changed the default).
Since user already got successfully authenticated, the session id will remain active and alive while there's activity within every 30 minutes. However the bearer token expiration will have expired after an hour.
I would normally assume that I need to refresh the access token before it expires so long as there's activity within the established server session. However, google does not appear to have a refresh token endpoint.
But even if it did, would it be desirable to do this?
Or since the fact that I have an active session id from an authenticated user is enough to allow access to protected resources while only the session id is 'alive'?
I'm assuming it is, since some websites allow customers to maintain their sessions for days at a time, at which time, bearer token would have expired long before.
And lastly, how long would you recommend I keep my users (customers, really) with an open session? My website is on online store.
Thanks to all!
Your session can be completely detached from Google's session. You should only be concerned whether your session is still active. The validity of the access token from Google is not relevant here. Remember that the expiration time of an access token has, in fact, nothing to do with a user's session at all. E.g. you log in a user using Google. The user authenticates at Google and you get an access token, which is valid for 60 minutes. The user then logs out at Google. Your access token will still be valid until that 60 minutes pass, even though the user logged out from Google, and her session is no longer valid there.
As for the length of the session, this is really up to you. If you know your customers are likely to come back often, and you want to make it easier for them you can even keep a session indefinitely. In such a scenario you should think about security and privacy - if the user leaves their account logged in on a shared computer, how much could it hurt them if someone else manages to use their session after a week or so. If you know your customers are likely to come back every few weeks or months to your store, then it really doesn't matter if you keep the session open for a day or five. Most of them will have to log in again anyway.
So to answer the question of the length of the session you should study the behavior of your users and take into account security and privacy issues.
We are planning on migrating our Box v1 integration to v2.
Our integration implementation includes API calls accessing user box account and files from different servers at the same time.
With v2, and the introduction of refresh token, we would like to know whether multiple refresh token requests can be made concurrently from multiple servers over the same user account.
Moreover, and as a consequence of multiple refresh calls, we would also like to know whether it is possible to have more than one access key per user at any given time.
Thanks for the help
Assaf
We recommend that you use some sort of coordination between your servers to manage auth tokens and refresh tokens. While a user can have multiple access tokens for the same service, they will have to authenticate multiple times in order to get them. You can't mint extra auth tokens off a single auth-token/refresh-token pair.
Here's what we recommend.
Create a pair of encrypted columns in your database to store the auth token, the refresh token, a datetime for "token_expires", and a flag for "token_refresh_in_progress". Identify it by userID.
Write your code so that when you are about to make a call, if you are close (say, within a minute) of the token-expires datetime, instead of making your call, you check to see if the refresh-flag has been set, or if there's already a new token pair. If the flag hasn't been by some other server in the cluster, set the flag that you are doing the refresh. Make the refresh-grant call, and update the database with the new pair, and of course reset the flag.
When sending a notifications to a notificationhub I receive the following exception:
Microsoft.ServiceBus.Messaging.QuotaExceededException: The remote
server returned an error <403> Forbidden. The maximum number of
Notification operations has been reached or exceeeded. Actual:33360,
Max allowed: 33000..TrackingID55ccd1f7a791-4047-96fd-0d0be2278ff7_g7
Any ideas on how to fix this problem?
What you should keep in mind is that it appears that all operations (not only sending notifications) you do with the NotificationHubClient seems to add to your daily Operations Quota.
I have made the mistake of doing unnecessary registration updates whenever the client logs on to my API.
Device registrations are valid for 90 days, so I'll not have to make any updates unless the registration has/about to expire. (I do save the expire date, which you'll get from the RegistrationDescripton.ExpirationTime, in my user table in my server app for knowing when to do a registration update)
I am developing a desktop app which will interact with box enterprise account.
For the first time when my app will try to access Admin enterprise account it will be redirected to box page . Box finally redirects user to my redirected URL after accepting Admin user credentials.
This redirected URL will have a authorization code. which is used to get access and refresh token.
My question is that can i save this authorization code for future use. ??
Say after one month my app again wants to access Admin enterprise account then Do i again need to go through the above steps of getting the auth code.??
Alok, yes, you can save the access and refresh tokens for future use. Some things to note:
The access token must be included via an Authorization header on every request to the API.
An access token expires after 1 hour. You can use the refresh token to request a new access/refresh token pair.
A refresh token expires after 14 60 days. If your application needs to perform a monthly process less frequently than that, you'll need to create a scheduled task or chron job to refresh the access/refresh token pair in the interim. With this task/job in place you can refresh the tokens indefinitely.
If both the access and refresh tokens have expired, the user must manually authenticate your application again.
I got the Access Token using Box Api but it is expiring in 1 hour.
What I want here is,
Either I need non expiring access token or get the access token by passing my Box User Id and Password to API.
If above things are possible let me know the way.
Thanks in advance..
You've got what is called a Bearer Token and a Refresh Token. The Bearer token is good for an hour, and the Refresh token is good for 60 days. The Refresh token can be traded in for another pair of tokens, which resets both clocks at the time you do the refresh.
Box doesn't have tokens that you can get via a username-password grant in OAuth2, because that inherently doesn't work for enterprise customers that need to do SSO through their ActiveDirectory / Okta / Ping / 2-factor / SecureID signin flows.
What you probably want is an SDK that handles the refreshing of the token for you. Most users won't ever have to logon a second time, unless they go on vacation for a few weeks. Box has already released several SDKs, all on github with open-source licenses. Most of them take care of refreshing the token for you automatically.
We've also added some enhancements recently (early 2014) to help multi-server implementations work more smoothly with the refresh-token flow, including allowing you to use the old refresh token to get the new token multiple times in a narrow time-window. That helps with both multi-threaded environments trying to get new tokens across a number of threads (or servers). It also helps with the case where you have a network interruption and you don't actually get the new token-pair back from your initial refresh call.