I am trying to use Oauth2 system for Android development, but I cannot understand what I have to do if refresh token will be expired.
Should I show the login form if the refresh token is outdated, if so at what point do I need to check on a token expired?
UPDATE:
My actions:
server config: refresh token lifetime 14 days
1.First I try to make a request to the server but the server returns that the access token is expired
2.Then I try to update access token using the refresh token but the server also returns that refresh token is expired
3.Not having received the token, I ask the user to log in again
Is it right?
Library I use link
Please help me understand after refresh token expired actions.
Yes you're right ! When your access token and refresh token are expired the only way to get a new token pair is to ask the user for its credentials (you can prompt the user in a login form).
The strategy I use to avoid asking the user for its credetial many time, is to send a new refresh token every time I need to renew the access token.
So when I ask for a new access token my Oauth2 server sends me a new access token and a new refresh token (and the new refresh token expiration date is consequently later]
Phindmarsh from github helped me to find the answer to this question.
Link to the answer
Related
Currenty I am using Amplify SDK for using AWS Cognito in the App.
After login i am retriving idToken which expires in about 30 min according to the doc.
So, every time idToken expires i have to make user login again to retrieve idToken.
Is there any way to get refresh idToken without making user to login again every time it expires?
I have looked into this doc but could not figure out what to do.
Using Tokens with User Pools
How are you signing in? The standard authentication will return ID, Access and Refresh tokens and the SDK will handle the refreshing of the tokens when they expire after an hour. If you are signing in through the HostedUI, you might be using implicit grant flow, which will only return ID and Access. So you will need to re-authenticate after an hour. The alternative there is to use the authorization code grant flow.
In Android API, access token can be re-issued through refresh token.
Even after new access token is issued, the previous one is still valid for expire time(maybe 1 hour).
I am wondering if it is ok to request a new access token everytime I need regardless of how many access token is issued so that I don't mind if the access token is expired or not.
With my simple test, It seems OK. However, I am not sure it is still OK with production service.
Any expected issue, if I request a considerable amount of access token with a refresh token?
Otherwise, should I re-use access token until it is expired?
The OAuth2 token needs to be refreshed (as per the spec) but I was wondering if this was still true of the SSO token? I was hoping to get permission to use uber in the app and then store the token in storage so I wouldnt have to make the user login again.
A refresh token is utilized in the networking stack to refresh the token once it expires. See RefreshAuthenticator.java
According to the doc, in order to authenticate with a backend server I have to :
send the user's ID token to my server using HTTPS.
verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token.
This work quite well, but how to do if I have to authenticate all the request to the server ?
Should I store the idToken (on a private sharred preferences) and verify it each time server side ? Since the idToken have a validity date, the client must be able to regenerate it when it has expired.
Or on the first connection, should I return a single id (without validity date) to the user which will allow him to communicate with the server (seems less secure) ?
The token should be verify with every request to the server it's like a key for each request. This key is not valid for a long time period so you have normally a refresh token if you want the "session" to be persistent. If you don't have it you will need to authenticate again every time the validity period of the token is expired.
So yes you should store the token in the client side. The best practice is to have a really short validity period to be sure that if the token is compromise the attacker will have a short time to do malicious thing.
I foud a technical answer (#EmCode's answer is correct) in the doc of the silentSignIn() method. (Here is a link).
The GoogleSignInResult will possibly contain an ID token which may be used to authenticate and identify sessions that you establish with your application servers. If you use the ID token expiry time to determine your session lifetime, you should retrieve a refreshed ID token, by calling silentSignIn prior to each API call to your application server.
See if this makes sense:
This work quite well, but how to do if I have to authenticate all the request to the server ?
I think the purpose of google sign-in is to authenticate users by their google credentials. It is not really for authenticating all your client requests against your own server. What will happens between your server and google should be only user token validation. Once the token is validated fine, the subsequent C/S data exchange can use authentication of your choice, and no need to bother google each time or care about the token validity.
If you use the ID token expiry time to determine your session lifetime, you should retrieve a refreshed ID token, by calling
silentSignIn prior to each API call to your application server.
Yes, if sessions are used your application and you want the token to define validity, then you need to bother Google all the time.
The Proper way to authenticate with a backend server is retrofit use this lib this is very fast to fetch data or upload data on beckend server.
I'm developing an Android app and I'm a little confused regarding token and refresh token.
Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library.
When the access token will expired I will ask a new one using the credential of user stored in the AccountManager.
Is it the correct way to implement this authentication?
Or I'm missing the refresh token, which I ask a new access token when this expired?
Thanks in advance,
Daniele
I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.
Here how I implement the token/refresh token process :
1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).
2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).
3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.