The Office365API provides a nice way to get an access token but there are no example on how to handle the situation when the token expires. Moreover, there does not seem to be a refresh token.
On the blog "How to: Integrate Office 365 with a web server app using Common Consent Framework"
[ http://msdn.microsoft.com/en-us/library/office/dn605894(v=office.15).aspx ] there is the notion of getting a refresh token along with the access token. When the access token expires the refresh token can be used to get another access token / refresh token set without requiring the user to log into their office 365 account again.
Does anyone know how to handle the expired access token using the Office365APIs?
The way i do it is
await _outAuthenticationInfo.ReauthenticateAsync(ExchangeResourceId);
Related
I’m writing a web api that will be called from a background service to fetch some data. After some research I decided to use a Json web token to achieve that but I’m still a bit confused regarding when a new token should be requested.
Let’s say I start up my service, I request a token, the token expires after 15 minutes, then after 20 minutes I make an api call with the expired token. I will get an unauthorized error or something.
My question is: How will the client know when to request a new token? Should it request a new one before every api call? Seems like I’m missing something. Maybe I should make the token permanent and store it in the database?
Thanks
The answer to this is slightly application specific, but the OAuth specification has a mechanism for "refresh tokens", which can be used to grant new "access tokens" (the token typically included on each API request), without having to send the user to the UI authentication process to have them re-authenticate. So, once you request an access token, you will receive a refresh token and an access token. This methodology allows access tokens to be used for much shorter time frames.
This can also be done without refresh tokens, but in those cases the access token timeout would likely be longer, and then you would request that the user re-authenticate through the usual OAuth UI process. Note that even when you do have refresh tokens, the refresh token can also be set to expire, in which would then require a user re-authentication through UI again.
In some API's you just make the API request as usual, and if you get a response that is defined by the API to be one that indicates the access token has expired, you can then issue an API call to refresh the token (or fully request a new one if that is expired, or you the API doesn't have refresh tokens), and then make the original API call again with the new access token.
The API can also have a response that includes the timeout or expiration date/time of the access token as well. Then, the client can avoid sending the initial API call first, and simply send the refresh token call first.
In implementing your API, you could likely use any of these methodologies.
Here's some general discussion on the OAuth spec website, to provide more depth:
https://www.oauth.com/oauth2-servers/making-authenticated-requests/
https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
And also, here's an example from the Twitter API regarding response codes showing one of the access token expiration techniques (see the "Error Codes" section, under error code 89, which implies the token has expired and you need to get a new one):
https://developer.twitter.com/en/docs/basics/response-codes
Since your client is background service , you can use the Oauth2 Client Credential Flow . Your background service can request an access token using only its client credentials when the client is requesting access to the protected resources under its control.
With this flow , you does't need to care much about the token expires , if client sends an expired token to web api , web api validate the token and create token expires response to your service , your service check the status code/response , directly send a new token request to web api to get new access token , there is no need to use refresh token which uses in other flows .
The fact is that your harness should be prepared to request any token when getting an Unauthorized status code. What I do in test is to check the expiration datetime, if close enough I refresh or get a new token whatever applies to your Auth. Also when getting an unauthorized status code my code does a refresh once and keep a count. If I get another unauthorized code then I return a false or throw an exception after I log the error on the second try. This works fine for me.
I have been using Force.com Toolkit for .NET for long time. Recently one of a client has started complaining for session invalid issue. So I started digging up and found that I have to refresh token by calling TokenRefreshAsync for which I need to pass on refresh token which I get during authentication. But I am getting null refresh token from SF.
I have tried everything possible thing I found on the internet without any success. Perform requests on your behalf at any time (refresh_token, offline_access) is added in OAuth Scopes:
Refresh token expiry is set at 2 days:
This is the simple code I am using to authenticate:
var task = authClient.UsernamePasswordAsync(consumerKey, consumerSecret, username, password, callback);
task.Wait();
What am I missing here?
The Username-Password Oauth Flow does not provide a refresh token on Salesforce, regardless of scopes:
This OAuth authentication flow passes the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token is issued.
If you want a refresh token, you'll need to implement a different OAuth flow (preferable!), or eschew the refresh token and reauthenticate when your access token expires. The latter makes you vulnerable to credential and security token changes on the part of the authenticated user, however, which using a more suitable OAuth flow grants resilience against.
How to regenerate the access token using refresh token through C# or PowerShell using native application client id?
Having the following inputs:
$RefreshToken = "refresh_token"
$ClientId= "client_id"
I have found many ways to regenerate access token using refresh token, but all those are using web app client id and client secret.
As far as I know, if you use native application, we will use silent auth(grant flow). It will just return the access token not the refresh token.
I guess you use web application code flow to get the access token and refresh token.
If you use this way, it must need the client secret and refresh token to generate the access token.
Thanks for looking.
Background
I am developing an Outlook add-in that requires our users to obtain a token so that they may interact with our API. We use Auth0 for this.
Essentially, when the user attempts to use a feature from our add-in, they are presented with a sign-in dialog that is powered by Auth0's Auth0.WinformsWPF nuget package (if they are not yet authenticated):
Of course, our users do not care to sign in to our API every time the token expires so I need to make use of Auth0's Refresh Token so that if our code attempts to call the API but the token is expired, I can refresh it without asking the user to log back in.
Problem
I do not see an obvious way to obtain or make use of the refresh token using Auth0.WinformsWPF package. Launching the above dialog to obtain a token is pretty simple however:
auth0.LoginAsync(wrapper, "","openid name email email_verified picture given_name family_name sso").ContinueWith(t => {
//Callback logic after successful authentication.
},
TaskScheduler.FromCurrentSynchronizationContext())
Question
Preferably using Auth0.WinformsWPF, how do I obtain and use a refresh token? I would very much appreciate some example code.
You need to add the offline_access parameter to scope. That will instruct Auth0 to return a refresh_token
I want to post an update to my own facebook page from a .NET service. I can make a FB App and that wants 'publish-actions' and 'manage_pages'. But how can I get an accessToken in code. The posts would be infrequent so I don't mind generating a new access token each time, but I need it done by the service without any interaction from me.
Following scenario 5 of https://developers.facebook.com/roadmap/offline-access-removal/ should allow you to authorize once as a user and then use the page token indefinitely without any need to re-authorize.
Exchange the short-lived user access token for a long-lived access token using the endpoint and steps explained earlier. By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
https://developers.facebook.com/roadmap/offline-access-removal/