Access Tokens - Extending - Error - facebook-oauth

I am using a desktop application.
I am able to successfully obtain a short-term token.
I am able to convert the short-term token to a long term token, which will expire in 60 days.
What I am assuming is the access-token-extend process, will extend the life of the token another 60 days, without the user needing to login. (If the user does not use the desktop application for 60 days - it will expire, and they will need to login to get the new token).
I would like to run the access-token-extend process each time the application is launched, thereby keeping the token continually alive if the user operates the application on a regular basis (daily).
Based on the following link to obtain my "how to"
https://developers.facebook.com/docs/facebook-login/access-tokens/#extending
(refer to section "Getting the Code")
I am using the following url:
https://graph.facebook.com/oauth/client_code?access_token=....&client_secret=....&redirect_uri=....&client_id=.....
The response is:
{
"error": {
"message": "An unknown error has occurred.",
"type": "OauthException",
"code": 1
}
}
The above error message is return when all the uri query elements are correct.
If any are purposely changed to be incorrect, I get the appropriate error. Eg. "this is a short term token, require long-term", or "redirect uri is incorrect".
I have made a few changes in the Facebook App Settings, Basic and Advance without any success.
Can anyone see what I might be missing.
Thank you in advance.

If you just go through the same process you went through to initially get the short-term token and convert it to a new longer lived 60 day token, it will return you a new token that lives for 60 days from the request. If the user has not revoked access to your app or the old token has not yet expired, the user will not have to go through the oauth acceptance in facebook again. One thing you should note, using this method if the user is not already logged in, it will prompt the user to log in to facebook before returning the token.

Related

Invalidating JWTs on Permissions

Do people typically store permissions in a JWT? I've seen example that might have admin: true or scopes: ['add_foo', 'delete_foo', 'read_foo']. And this seems fine, other that the potentially large size that the JWT could become if there are a lot of permissions/scopes. It seems like it would be really useful as you wouldn't need to hit a DB or cache to get the users permissions as long as the JWT can be verified.
My main question though is how these would be invalidated in the event of a permissions change.
For example, sys admin Joe, revokes the 'add_foo' and 'delete_foo' permissions from user Bob, but keeps the 'read_foo' permission. In this scenario user Bob should not have his token entirely invalidated and need to log back in, he should basically be forced to get a new JWT with the new permissions and carry on as normal.
I've seen examples explaining issuing a new JWT in the event of a password change, but the difference here is that sys admin Joe does the update to user Bob. Thus, there is no opportunity in this workflow for user Bob to get the new token immediately.
Most examples suggest for invalidation maintaining a black list of revoked tokens, or changing a DB record ID so the token is no longer valid, or having a per-user secret and changing that.
I see that all of these would work for the revoking of the token and test that its invalid, but how does the user then get a new token? their current JWT is now invalid? Trying to do anything with it should fail.
I've seen mention of a "refresh token". Are these widely use? Are they secure on the web or mainly used for mobile apps where the refresh token is harder to obtain. It seems like it would be reasonably easy to steal a refresh token via browser dev tools or similar and then someone would have access forever to that account until the unauthorized access was noticed and the refresh token revoked.
Maybe in this scenario forcing user Bob to re-authenticate is not such a big deal? Permissions probably don't change too often.
Thanks, Mike.
You can set expiration date (for Web app we are usually using 15 min - 30 min, for mobile 1 week). When you set Issued at claims parameter ("iat"). Then every time when you validate token you should check the token's "age". If it older than 5 min you load data from DB and create new token with current "iat" value.
When permissions change you should invalidate the issued tokens for this user. There are different techniques to use. See Invalidating client side JWT session
But consider that revoking tokens is not a recommended practice because you lose one of the main advantages of JWT: It does not require server storage.
The objective of Refresh tokens, as defined in Oauth2.0, is allow applications to obtain a new access token without re-authenticate
Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires,
If the permissions do not change frequently it may be easier to re-authenticate user, and if they change much consider whether they really should be included in the token

What is ErrorMessagePerFolderCountReceiveQuotaExceeded?

I'm synchronizing Office 365 mail folders via the Office 365 REST API by doing a GET on me/MailFolders/{folder_id}/messages. For two different accounts, I've recently been getting 500 responses to these GETs with the error code ErrorMessagePerFolderCountReceiveQuotaExceeded and error message "The number of received messages has exeeded the quota for the folder." (Typo theirs, not mine.)
I can't find any documentation on this error. What does it mean? What should I do to fix this situation?
I couldn't seem to find any documentation for it either.
From the error message, it seems it might be related to the "Maximum number of messages per mailbox folder" limit on Exchange Online. Do you know if the folder contains 1M+ messages?
https://technet.microsoft.com/en-us/library/exchange-online-limits.aspx#MailboxFolderLimits
I guess my other idea would be that you're getting too many messages in too short of a time period. Suggestion would be to use the endpoint GET https://outlook.office365.com/api/v2.0/me/MailFolders('{folder_id}')/messages with $deltaToken and $skipToken to skip previously synced messages.
https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations#synchronize-messages
When you do a sync to an Exchange folder via the Outlook REST API, you pass it a sync token. In response, the API returns a new sync token and a set of changes. And the client is expected to send the new token back with their next sync request.
With most systems that support sync, using a stale sync token (i.e. one that has been sent to the server once) in a subsequent request will generally just succeed with no problems. And Exchange appears to work like that... for the first 999,999 times you do it. On the 1,000,000th time (and each time thereafter), you get ErrorMessagePerFolderCountReceiveQuotaExceeded. This is (I think) because Exchange keeps track of each token that it's given out and updates the token in its store each time it's used for sync. If a client uses a stale token, Exchange views it as a new client and adds that stale token as a new entry in its list of active tokens. That active token list can have at most 1,000,000 entries. ErrorMessagePerFolderCountReceiveQuotaExceeded is the cryptic error indicating that Exchange's active token list has overflowed.

Google Drive API downloadURL 401 error

Anybody can help or enlighten me with my issue:
I'm a Java developer and I have an existing smart printer app called GDrive App. It uses Google Drive API (oauth 2.0, gdata-version 2.0 and 3.0 for download-print file) .
This has been working for months until now. Actually, only the download-printing part is no longer working this time, I can still access the app (retrieve files, create folder, search and delete files).
Actual problem:
I keep on getting 401 error when I try to download file (to input stream) for printing. It's confusing because I already provided all the necessary information during the request. And it has been working for many months. No changes of the code. Weird.
I have this for headers:
[Authorization: Bearer ya29.CjAkA8uPBUsKWYMSEDpPxUbP_vtQJOKfCZ7O8I4GkpUkN70bGgnDTAVYiVW2m353H2Y
, GData-Version: 3.0
]
While executing this URL to download and print resource, I couldn't access this.
https://doc-0o-7o-docs.googleusercontent.com/docs/securesc/l9c2gms12ko7qqfc58putbb2v38kkvmm/dp5l9kmpu48kdi8mp2rvtmc1dm1f41tk/1468828800000/09859633411849852329/09859633411849852329/0ByU-nFK_03gtZGhBZkxCYmExeGc?e=download&gd=true
Error 401 means that you aren't authorized properly. Most likely the ya29.CjAkA8uPBUsKWYMSEDpPxUbP_vtQJOKfCZ7O8I4GkpUkN70bGgnDTAVYiVW2m353H2Y access token you are using expired and you have to request another.
You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail, Calendar,
Contacts, or Hangouts scopes.
The user account has exceeded a certain number of token requests.
source
You can use GoogleAuthorizationCodeTokenRequest to request an access token and possibly a refresh token.

Get non expiring Access Token from Box or Get access token from box by passing UserName and Password.?

I got the Access Token using Box Api but it is expiring in 1 hour.
What I want here is,
Either I need non expiring access token or get the access token by passing my Box User Id and Password to API.
If above things are possible let me know the way.
Thanks in advance..
You've got what is called a Bearer Token and a Refresh Token. The Bearer token is good for an hour, and the Refresh token is good for 60 days. The Refresh token can be traded in for another pair of tokens, which resets both clocks at the time you do the refresh.
Box doesn't have tokens that you can get via a username-password grant in OAuth2, because that inherently doesn't work for enterprise customers that need to do SSO through their ActiveDirectory / Okta / Ping / 2-factor / SecureID signin flows.
What you probably want is an SDK that handles the refreshing of the token for you. Most users won't ever have to logon a second time, unless they go on vacation for a few weeks. Box has already released several SDKs, all on github with open-source licenses. Most of them take care of refreshing the token for you automatically.
We've also added some enhancements recently (early 2014) to help multi-server implementations work more smoothly with the refresh-token flow, including allowing you to use the old refresh token to get the new token multiple times in a narrow time-window. That helps with both multi-threaded environments trying to get new tokens across a number of threads (or servers). It also helps with the case where you have a network interruption and you don't actually get the new token-pair back from your initial refresh call.

facebook access token timeout - how to handle this with a simple json feed on my website

I have a simple facebook site feed on my website, it allows no interaction by visitors to my site. It is literally a set of json dumped to a userlist.
The issue I am having is that the access token expires every 1-2 hours and the feed dies...
I need to automate the refreshing of a token or get a non expiring token. What is the best route for me to take.
I want to ensure that security is as high as possible.
many thanks
You can get the extended token, red this : Extended Access Tokens
This token expires in 2 months so no need to refresh this again and again.
And if you want to offline access on behalf of this user, you can use this and refresh it before its getting expired.