I have a Xamarin.Forms iOS and UWP application based on a .NET standard 2.0 library. I am able to allow the user to a) login with Facebook b) use the received Facebook token to authenticate with an AWS Cognito federated identity pool without any problems leading to a Cognito access token to work with AWS resources for one hour. The logic I follow is to create a new CognitoAWSCredentials instance; call its addLogin method to specify Facebook and the Facebook address token and finally to call the GetIdentityId() method to receive the necessary credentials.
As expected and documented, this access token works for one hour and then I start receiving AmazonCognitoIdentityException.
I have read through the Amazon documentation but did not locate which method or API endpoint to call after (lets say) 55 minutes to refresh this token. Additionally, I also do not see from debug instance inspection any reference to a refresh token or a refresh method.
Guidance to the correct way to refresh the AWS Cognito access token is greatly appreciated.
Related
I have a Cognito user pool, an app set up and a resource server set up. We do not want to use the hosted UI to log in and I am trying from the back end to authorize with Oauth 2.0 with a user name and password and send the token back to the front end to use with api gateway calls. I am using c# and the provided SDK does not allow for the right scope, so I am trying the manual oauth2 method of logging in, but nothing I have tried is working.
Edit:
I have gotten a bit further today trying to use postman, however, I am getting the error: unsupported_grant_type with the following setup:
As of now, this is not supported without hosted UI. Basically, you can not expect AdminInitiateAuth to include custom scopes in the access_token.
This is not a limitation in .NET SDK. This is a limitation in Cognito itself.
As per this answer, someone can argue that this the intended behaviour.
Signing in via initiate Auth or admin initiate Auth is not via the Oauth endpoints so the Oauth custom scopes will not be included in the token.
Also this issue has been mentioned in different other SDKs/Libs like: android sdk, Amplify JS as well. Several issues are mentioned in this comment.
Maybe you could try to use id_token along with Lambda Authorizers as a workaround.
I'm using the Dropbox SDK for DotNet, and it is time to support short-lived Access tokens.
My use case is uncommon (web site, 'backend side'). Once the link to DropBox is made, everything should keep working unattended.
In fact, it is OK to never publish the app. Each user creates its own app in their own Dropbox account and stays on Development mode forever.
Until now, the user created the dropbox app, takes note of the App key, App secret and generates an access token directly at https://www.dropbox.com/developers/apps/info/....
With this data, the application was working fine, but Access tokens will soon be short-lived only. I already verified the like to dropbox gets broken after the generated (from www.dropbox.com/developers/apps) Access Token expires.
How can I, using the SDK and having a valid Access token, get a refresh token to be saved and utilized to get a renewed access token?
I couldn't find any way in DropboxClient.cs, DropboxOauth2Helper.cs, not the examples at https://github.com/dropbox/dropbox-sdk-dotnet/tree/main/dropbox-sdk-dotnet/Examples
It is not possible to use an access token to retrieve a refresh token. A refresh token can only be retrieved via the OAuth flow. I recommend reading the OAuth Guide for more information.
The "Generate" button on the app info page on the App Console does not currently offer the ability to generate a refresh token, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.
I'm developing a .NET application that can send emails on behalf of the user using the Graph API.
Users are prompted to authorize the application; The acquired access token is then used to call the Graph API. The refresh token is used to issue a new access token when the old one expires, as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Couple of questions / observations:
Assume user John authorizes the app to send emails on his behalf. If an administrator removes the app from the azure portal, the access/refresh tokens issued when John authorized the app will still work.
if the access token is still active, it can be used to call the graph api;
if the access token is expired, the refresh token can still be used to request a new access token
Is this behavior intended?
After reading https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-revoke-access and https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0 it seems that simply removing the app from the user doesn't revoke the tokens.
Assume user John authorizes the app to send emails on his behalf. If John goes to https://myapplications.microsoft.com and removes the app he won't be able to use the refresh token to get a new access token, which is expected.
However, I've noticed that if John reauthorizes the application to perform actions on his behalf, the application won't show up on https://myapplications.microsoft.com anymore. This behavior seems a bit inconsistent. What's the proper way for a user to revoke access to an application?
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
If you need to revoke authorization during the lifetime of the access token, please see: here and here.
I am trying to authenticate my application using azure AD. But at one time I am able to login at one place. When I am trying to login in other place it is not authenticating. I read somewhere that IsMultipleResourceRefreshToken should be true in AuthenticationResult. Can anyone help me how to get IsMultipleResourceRefreshToken to true in Azure AD authentication?
The IsMultipleResourceRefreshToken flag describes the nature of the refresh token you received. You cannot change it. However, there should be no scenarios TODAY in which the refresh token returned by Azure AD is not multi resource. I recommend you ensure you are using the absolute latest version of ADAL and that you are actually using a flow that returns a refresh token.
Furthermore: it is unclear if "login to another place" refers to obtaining a token for another resource, or for another tenant. If the latter, please note that tokens are always bound to their tenant and do not enable the issuance of new tokens for a different tenant.
I want to start with graph Api in windows application. I created a facebook app and see some articles about graph Api but unfortunately I did not understand. I want to get data like: Messages, Events, Friends, Wall posts,... from facebook.
What is the first step for this?
What is access token and if it is a constant string or changes for every request?
Do you have a very basic sample for this?
Any help will be so appreciated.
Access token will expire in 2 to 3 hours and we can extend it for 60 days. For that we need to create an application in facebook. And based on this access token will be vary and not constant.
** What is Access Token **
An access token is a random string that gives an app temporary and secure access to Facebook APIs. And access token can be created on behalf of a person, a Facebook Page or an app. The token is generated in the last step of the login flow. Facebook SDKs handle the generation and storage of tokens automatically. Apps using other methods will need to follow the login flow to create tokens.
The token stores information about permissions that have been granted as well as information about when the token will expire and which app generated it. To maintain information security, almost all API calls at Facebook need to have an access token passed in the parameters of the request.
Go through this link for Graph API