We have developed a mobile application (Android & iOS) which has custom login with limited session expiry time (3 days). The session will expire after 3 days and we are showing Login page to re-login.
But we don't want to show login page to the user. What are the best approach to do that.
Approach 1:
In the server side, do not set the expiry date to the generated session. So that session will not expire until user logged out.
Approach 2:
In UI, save the username & password in permanent storage like sqlite & etc. When the session expired (after 3 days in my case), UI has to send hidden login call to get new session id. In this case we will not redirect to login page.
How other mobile apps keep the session Id's alive till user logout.
Please suggest me any other best approach apart from above 2 approaches.
You can use following approach to solve your issue, I have faced same issue and used same approach :
Server should send a extra RefreshToken with your sessionId.
Or server should provide a different API to refresh your sessionId with that refreshToken.
So suppose you get “invalid token” error, then you need to follow following steps :
call RefreshToken API using last saved RefreshToken.
Server should refresh that sessionID & reset expiryTime to 3 days and reply you with new SessionID.
Server should create new RefreshToken at their end only whenever you logOut/login again And when 3 days expires(means user haven’t used app for 3 days so he should be logged out).
So you should be logout only when that RefreshToken expires.
you will get new sessionID and then use that for further requests & for that request on which you got that error.
Related
I have been reading around on different ways to refresh the cognito session after 1 hour, and I have yet to get a conclusive answer from aws team or anyone else. How do you get new tokens after the sessions have expired without re-authenticating, that is, the user has to login again (enter their password/email credentials).
There is a method refresh() in CognitoCachingCredentialsProvider class, that I believe refreshes the session. However, after that is called how do you get the new tokens (idToken/accessToken/refreshToken)? In my case the refreshToken is set to the maximum expiration time which is about 10 years.
The only way to get new tokens as I have done so far, is through user authentication when the user is logging in, where cognitoUser.getSessionInBackground(authenticationHandler) is called. This interface provides the tokens retrieved from CognitioUserSession. It seems very counterproductive for my application in particular to prompt the user to login, using their password each time after 1 hour.
I would like to add one more thing, is it even possible to get new tokens after the idToken and accessToken have expired? Looking at the aws cognito raw code, I have not seen an interface that provides that outside of login in the user despite what the documentation says.
I am developping an android app based on firebase that connects to the Nest API. While it worked for some time, it now rejects authentification.
I get the folowing error "The active or pending auth credentials were superseded by another call to auth" when I'm pretty sure firebaseRef.auth() method is only called once...
EDIT : I'm getting close to the 1000 Users limitation after wich we should request more users from Nest.
Any idea where this is comming from ? Can it be comming from the online service I am calling or is this necessarilly due to my code ?
thanks.
P.
We discovered that every time the user is passed through the Works with Nest web sign up dialog, it generates a new auth token. Is it possible you've run through the process on multiple devices and generated a new auth token, invalidating your previous one?
If you're trying to request data from an API/Web Service how do you design the login process?
If it is sensitive data, do you send a login request to the server /w username+password, and receive a session-token or similar, or do you send username+password every request?
Assume you do get back a session-token. How do you get a fresh token, without asking the user to reenter their credentials. Do you save username+password on the device?
It is best to use client credentials flow of auth2:
show web page with login page
user enters username + password
page reloads and you get parameters from new page (auth code)
issue token request with auth code retrieved from previous step
save token with refresh token
use refresh token to obtain new token but remember that refresh tokens will have 'refresh_token'
value set to null so you will have to save refresh token retrieved
at the beginning to issue new tokens after they got too old (usually
3600s)
This: http://bshaffer.github.io/oauth2-server-php-docs/grant-types/client-credentials/ and this http://brentertainment.com/oauth2/ will make it easier to understand and implement
I'm using Parse as the backend.
To check if the user is logged in I use ParseUser.getCurrentUser(). What I don't understand is, if the user changes his password from somewhere else (another device, the web-client), will this ParseUser return with some kind of error?
I don't think it does a check on the server, so I think it just returns the last saved user. This mean that I can continue to use this user (with an old password) or will I get a "wrong credential" response on the first request to the servers?
If I don't get it, will I at least get it when setting an ACL with parseObject.setACL(new ParseACL(ParseUser.getCurrentUser()));?
Try same action on yahoo in 2 open browsers of different types and see what you get?
Each client's been handed a token value by the respective servers and until the token expire will not be prompt for a new logon.
Well IMO Parse work very similar except the lease on Parse token never expire.
Response to the original parse logon contain the token value which the SDK may retain. Details are in the docs section on Rest api / user logon...
So, if a diff client change password but the token lease over on some other client never expire, the other client stays logged in.
Some days ago I asked how to retain Box tokens (Load, save and use of authentication data in Box Android API). Now, when user wants to access his Box account I use this code to configure BoxAndroidClient:
client = new BoxAndroidClient(C, S);
client.authenticate(loadAuth()); //loadAuth() returns BoxAndroidOAuthData object
For short period of time after obtaining authentication data it works good. But after an hour or so I get an AuthFatalFailureException:
07-06 17:21:01.841: W/System.err(3647): com.box.boxjavalibv2.exceptions.AuthFatalFailureException
07-06 17:21:01.841: W/System.err(3647): at com.box.boxjavalibv2.authorization.OAuthDataController.doRefresh(OAuthDataController.java:275)
07-06 17:21:01.841: W/System.err(3647): at com.box.boxjavalibv2.authorization.OAuthDataController.refresh(OAuthDataController.java:191)
07-06 17:21:01.841: W/System.err(3647): at org.redscorpio.cloudtest.network.Box$2$1.run(Box.java:71)
Line 71 is
client.getOAuthDataController().refresh();
but it happens every time I need to access Box:
client.getFoldersManager().getFolderItems(current.getId(), LIST_REQUEST()).getEntries();
client.getFoldersManager().getFolder("0", DEFAULT_REQUEST);
I suspect that my token is invalidated at some point, but I don't know why it can't be renewed and why it happens after such a short period of time.
What I can do to prevent this?
I am not exactly sure what's going on. The sdk does auto refresh the token. However every time the token is refreshed, you actually will get a new refresh token and new access token, the old refresh token will not be valid any more. So basically the easiest way probably is update your stored OAuth token object every time your api call succeeds.
In the meantime, can you double check(maybe add some loggings) whether the stored refresh token and access token are the latest ones?
You can logcat out the access token in the code of token refresh:
com.box.boxjavalibv2.authorization.OAuthDataController class, doRefresh() method.
and in the place where api call is made: com.box.boxjavalibv2.authorization.OAuthAuthorization class, getAuthString() method.
When a user logs in and accepts your app's grant, you exchange the authorization_code for an access_token and a refresh_token (response shown below). The reason your token invalidates is that the access_token expires in one hour. You can exchange the refresh_token, which is valid for 14 days, for another one-hour access token. This is why you'll want the app to store both the access_token and the refresh_token, ensuring that a user will only need to re-authenticate if they return to the app after more than 14 days.
Using the refresh_token for another access_token will always return one more of each (refresh + access).
{
"access_token": "T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl",
"expires_in": 3600,
"token_type": "bearer",
"refresh_token": "J7rxTiWOHMoSC1isKZKBZWizoRXjkQzig5C6jFgCVJ9bUnsUfGMinKBDLZWP9BgR"
}