Questions tagged [access-token]

1

votes
1

answer
43

Views

How to use Aws Temporary credentials in Nifi

I have to use aws temporary credentials AccessKey, SecretKey and Token within nifi process to access S3 objects. AccessKey, SecretKey and Token will be provided by an Api call. How to use these temperory credentials in nifi ListS3 Object etc? One of the options I found is using AWSCredentialsProvid...
Ani
1

votes
0

answer
172

Views

Unable to generate new Token using adalService.acquireToken for Logged in user to consume Microsoft Graph API

trying to generate new token using adalService.acquireToken() for accessing logged-in user details from Microsoft Graph API. below written code is not generating a Token, Error: 'error in acquiring token Token renewal operation failed due to timeout' OR 'Invalid Token' Here is What I have tried: onG...
Tarun Rathore
1

votes
0

answer
432

Views

IdentityServer, how to validate token using multiple authorities

How can I use IdentityServer.accesstokenvalidation package to validate tokens using multiple authorities? In my front end application I am getting a token using let us say on of the following: 1- subdomain1.identityserver.com 2- subdomain2.identityserver.com 3- subdomain3.identityserver.com Now if I...
Yahya Hussein
1

votes
1

answer
28

Views

implementing other grants when only authorization code is available

I am creating web and mobile apps that reimplement an existing desktop app via the desktop apps publicly available API. This API only provides the Authorization Code Grant path for authentication, which would require me to either: somehow securely store the client secret in the app Implement PKCE &...
Somkun
1

votes
1

answer
1.3k

Views

How to configure HttpSecurity for this situation (Spring Boot)

Criteria: Unauthenticated users request token from /oauth/token Unauthenticated users can also access swagger docs at /swagger-ui.html All other endpoints should be secured i.e. require a valid token to use. What I've Tried: SecurityConfig.java - Possibly the source of the problem @Configuration @En...
Jordan Mackie
1

votes
1

answer
597

Views

adding custom claims to identity server 4 GrantValidationResult

As per http://docs.identityserver.io/en/release/reference/grant_validation_result.html I'm trying to add extra claims to a GrantValidationResult but the extra claims arent showing up just wondering where i could be going wrong here: var extraClaims = new List { new Claim('resource_id', resourceId)...
David Parsonson
1

votes
1

answer
1.4k

Views

How to refresh personal access token programmatically in Laravel?

I have used createToken method on User model to create personal access token. Now I want to refresh that token in code without http request to oauth/token/refresh. How could I do that?
Ali Farhoudi
1

votes
0

answer
125

Views

How to configure WSO2 Api Manager to provide JWT as access token?

Is there a way to provide JWT instead of what's by default, because I need to see the information about roles, permissions and other things inside it?
nmrlqa4
1

votes
0

answer
604

Views

nginx authentication from external service

My goal is to enable access on one (static) web page/folder only to authenticated users. auth_basic is NOT option. There are 2 servers: nginx (contains http,css and javascript) and REST server (doing authentication and provides secure content). REST server provides access token. On www.somesite.com...
ivan
1

votes
0

answer
130

Views

using google api refresh_token

We have a mobile based application, where mobile ask user the offline access to google drive. Google give the credentials to mobile from where it is passed to the server via API. Server access users google drive. Mainly include file manipulation according to his or his contacts actions(So the user...
alrarea
1

votes
0

answer
239

Views

wso2 api manager refresh and access token revocation

I have the setup where clients are accessing APIs defined through WSO2 API Manager secured by OAuth2 refresh and access tokens. The client gets the tokens using authorization code flow and authentication and authorization is done by 3rd party software. Access tokens has default expiration time of 36...
user1563721
1

votes
2

answer
288

Views

Refresh token in Angular 4 for multiple api calls

I am trying to implement refresh token concept in my web app. In page refresh i am calling 4 API's and when access-token expires am calling back-end to get a new access-token based on refresh-token. So in my case am able to get the new access-token but again unable to trigger the 4 API calls until u...
Kishan
1

votes
0

answer
219

Views

Retrofit returns not working access token

I'm creating an authorization app, where user registers and gets client_id, client_secret, access_token and refresh_token. I have one API where i need to do call. In that call I use my access_token. All works great. But the access_token expires after hour, so with refresh_token I'm updating my acces...
Hayk Mkrtchyan
1

votes
1

answer
356

Views

Get Facebook and Instagram posts on Android app without User login without using Access Tokens

I'm developing an Android app and need some help with it. I'm trying to get Facebook and Instagram posts on my app without making user to sign in to their respective accounts. Is it possible to show posts of any public pages present on for both Facebook and Instagram into my app and if yes, then how...
prashantdoshi28
1

votes
0

answer
24

Views

Authentication token to be logged forever

In Facebook app or twitter, I am logged forever(a very big period of time). I heard that to have 1 token for forever login is not ok from security point of view. How that applications can login a user for a very big period of time and and do not have problems with security?
leciro
1

votes
0

answer
114

Views

How is the implicit flow of Opend ID Connect secure?

I understand that the in case of Single page applications that rely on bunch of rest apis, the implicit flow of Open Id Connect is recommended. What i fail to understand is how is it secure? The Authorization server returns the access and id token in the URL fragment after the user is successfully l...
Sumit
1

votes
1

answer
250

Views

Keycloak One Time Access

I need a functionality to allow user to login into the system with limited functionality. So my idea is, if the request comes from well-proven source, I generate the unique hashcode and send the email to the caller with login link with the hashcode. If the user clicks on the link, he will be redire...
troger19
1

votes
1

answer
546

Views

Facebook Graph API: Cannot extend access token, “invalid platform session” (error 452)

I am trying to extend a new short-lived (1h) User access token, and am getting the following error response (using https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=XXX&client_secret=YYY&fb_exchange_token=ZZZ): { 'error': { 'message': 'Session key invalid. This co...
user1886563
1

votes
0

answer
50

Views

How to Stay Signed In in a Mobile App using Microsoft OAuth?

I am working on an app using NativeScript and am using Microsoft OAuth2 to authenticate the user, send emails and access SharePoint with it. My problem is that the authentication token I get expires after 1 hour so the user has to login again over and over. A temporary solution I am using is refresh...
1

votes
1

answer
258

Views

Facebook access token is still valid when user logged out from app [closed]

I had integrated Facebook login in my app. On login success it give me a token as it is given in this https://developers.facebook.com/docs/facebook-login/android . I saved it in shared preference, but when the user logout by Facebook app the saved token is still valid. To check validity I use t...
kbhaskar
1

votes
1

answer
138

Views

IdentityServer4 how to store and renew tokens in authorization code flow

I am looking for the best approach to work with the IdentityServer4 autorization code flow. My apps system is quite ordinary: I have an MVC client, a WebAPI and the IS. I also use AJAX to request the API from the client side. So I need the access token on the client side to put it into the authoriza...
Daniil Doronkin
1

votes
2

answer
1.4k

Views

What characters are allowed in an OAuth2 access token?

RFC6749 and RFC6750 seem to disagree with one another about what characters are allowed in an OAuth2 Access Token. Section A.12 of RFC6749 (the original OAuth2 spec) defines the access token format as follows: A.12. 'access_token' Syntax The 'access_token' element is defined in Sections 4.2.2 and 5...
bjmc
1

votes
1

answer
106

Views

MVC Core 2 external users and access token

i am new with Dot net core 2 and implementing MVC client & IdentityServer4. facing two problems while getting external user access token. problem 1 services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = Op...
Saifal Maluk
1

votes
0

answer
177

Views

How to refresh/keep token activated for Mobile Apps

As far as web applications are concerned I know I can refresh/reissue the JWT by setting another parameter expireUntil in JWT with some duration and check it in each subsequent request and if it's not expire I can reissue the token or something along those lines. I don't know how efficient it is or...
zhaider
1

votes
0

answer
109

Views

Could not able to get the access token from Reddit API through Scala

I have went through the Reddit API doc. I have to make a web app (not script) Screen shot from the github https://github.com/reddit-archive/reddit/wiki/OAuth2 As far now, i am able to get the authorization code , but i am not sure how to how to get the access token. Actually , it is written that...
Bibhas Singh
1

votes
2

answer
352

Views

How to prevent refreshing a stolen access token

The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time. The setup: There is a client, application server and authentication server. The client stores the access token. The application server stores the refres...
Arthur
1

votes
0

answer
48

Views

Is it secure/okay to call receipt validation API without an access token check? (in-app purchase)

I run the iOS app which only works locally (I mean, no API connection needed). In order to add subscription feature, I recently created own Server/API for the receipt validation. My question is: Should I implement an authentication feature with an access token? (e.g. using JWT) Is it NOT recommend...
moce
1

votes
1

answer
76

Views

azure conditional access logout after a specified time

I want to set an expiry time for my web app so that after 1 hour the user will automatically be logged out. It seems that azure now have a new feature called 'conditional access'. Firstly I have to have a premium account (so yet more money) and secondly I cant find anything in the documentation th...
proteus
1

votes
0

answer
233

Views

Reset password by using Auth passport not revoke the access token automatically | Laravel

I have an application of LARAVEL in which I implemented passport (Password Grant Type) with default auth system. When a user request for reset password I will send password token to user's email and password reset process works fine. But My question is after successfully reset user password then all...
sachin kumar
1

votes
0

answer
605

Views

How should I handle access token and API secrets in Flutter

Pure android apps use Gradle to handle secure access tokens and API secrets. Where should I store my secrets in Flutter? Is it safe to put them on a text resource file and simply don't commit it?
Andre Haueisen
1

votes
1

answer
626

Views

Is is safe to store access token in session storage of client browser?

I am using Token based authentication in web API to authenticate a user.I am using clients browser session storage to store access token.Is it safe to do so? Where should i store it make it safer. $('#btnLogin').click(function () { $.ajax({ // Post username, password & the grant type to /token url:...
1

votes
1

answer
67

Views

Access User.Identity and Claims from Outside

I am trying to build an SSO(.net core) service with OpenID Connect which will be a layer between a Webforms application and the Service Provider. I created some endpoints to check if user is authenticated and get user claims from the service. I am able to get correct results when I call these endpoi...
Orhun Karapinar
1

votes
0

answer
36

Views

Error Pulling Facebook Ad Campaign

I am trying to automate a task for my company. They want me to pull the insights from their ad campaigns and put it in a CSV file. From here I will create a excel sheet that grabs this data and automates the plots that we send to our clients. I have referenced the example code from the library and I...
Brennan Manion
1

votes
1

answer
30

Views

Identity mechanism for extending access token life

Is there some mechanism built in Identity for extending access token life, or I have to deal with it ?
1

votes
0

answer
43

Views

What could be some ' Consequences of Not Verifying the Issuer ' of JWT token?

Let's say some applicaton named 'AppX' grants access to their API's through JWT tokens and uses it's own internal independent project to grant JWT tokens. The JWT Issuer app does not include 'iss' - the issuer field in JWT token. So the 'AppX' application is NOT verifying the 'iss' - issuer of JWT t...
1

votes
0

answer
89

Views

Get facebook access token with page_managment permission for specific user without full review of the app

Is it possible to get an access token (from the SDK not the api explorer [ex: Login Form]) with page_management permission for some specific user (the future possible client of the app) without passing the full Facebook review process. I need this, because the app is not finished yet, and the client...
1

votes
2

answer
266

Views

Get Azure AD access token from VSTS?

I have some unit tests (JavaScript) which will be triggered to run from VSTS. The tests would test some web api endpoints which are hosted in Azure with Azure AD authentication configured on the web api webapp. Can anyone recommend the best approach for authenticating against Azure AD where the clie...
cty
1

votes
0

answer
49

Views

How to apply jwt django rest token to access other Apis

I am generating jwt token with this url http://127.0.0.1:8000/api/token/ HTTP 200 OK Allow: POST, OPTIONS Content-Type: application/json Vary: Accept { 'refresh': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTUyOTQyOTUwMSwianRpIjoiZmYxOTFmN2JhN2NhNDY2MWI0OTUzZGU2NmV...
Jyotiranajn
1

votes
0

answer
120

Views

Embedding power BI report into web app – Error acquiring token

Embedding power BI report into web app – Error acquiring token I have a .NET framework Web Application which uses Azure AD to authenticate the users. This is within an app registration which is of type 'Web app/API' Within the web app I am trying to embed a power BI report from a master account (w...
j9070749
1

votes
0

answer
79

Views

Is an auth token in query string the only solution for a simple get request?

I am using JWT to authenticate and authorize requests made by a Single Page Application. During the navigation in the application, I use XMLHttpRequest so I am able to set a header and use the token like this: headers: Authorization: Bearer MyJWTToken However, I sometimes need to download a protect...
Hammerbot

View additional questions