I'm creating an Alexa Skill to control my Philips Hue lights. Everything works as expected, however the token expires after a couple of weeks and Alexa does not refresh the token. I am assuming this is because the Alexa skill setup only takes one URL which is supposed to be able to be used to both acquire a token and refresh a token, however the Hue API has two separate endpoints:
https://api.meethue.com/oauth2/token to get a token and https://api.meethue.com/oauth2/refresh to refresh.
Is there any way to get around this issue in the Alexa setup or with the Hue API?
I ended up writing a new lambda function which served as a reverse proxy to the Hue API. I would direct to the /token or /refresh endpoints based on the grant_type passed in the request body.
It would be nice if Hue resolved this discrepancy but this solution seems to work and I learned some things along the way 🎉
** If anyone needs the code for the above let me know. It's still in a private repo but I'm planning to open-source it soon.
Related
NOTE: I'm not sure if this is the best place to post this, so please let me know and I can move.
Currently, local development for an authorization module I am working on is quite painful. To get it running we are doing the following:
Make a postman request
Look in headers in location and grabbing a token
Using that token in our local url
The token expires quite quickly and whenever we reload the page or go to a new route we need to repeat the steps above. I'm reaching out to all for any resources in integrating postman in our React application to automate this. Any suggestions or tips would be greatly appreciated.
so, long story short, I'm working on my portfolio and I want to retrieve my LinkedIn recommendations from my profile, I googled but all I could find was about retrieving info from logged-in users using OAuth, is there a way to get a personal API key to retrieve my profile's info for everyone to see on my portfolio?
I don't think this is important but I'm using React.
I hope I made myself clear, I'd appreciate your help!
Well, when you do the 2-legged OAuth flow, you receive a response that includes an access_token that you can use to make api requests. Here is the documentation.
So in your react site, whenever you fail the request (which means your access token expired), you can just resend the request and get the new access token. This access token acts like an api key, and the 2-legged OAuth flow can be entirely automated without user intervention. These tokens have a 30 minute lifespan, so maybe you can just set an interval to fire every 30 minutes to refresh the token.
I would like to do social-login with LinkedIn. I am using the very convenient package react-social-login (see demo here : https://deepakaggarwal7.github.io/react-social-login/).
In the demo, and in my implementation, everything works fine, and I am able to retrieve the access-token and expiration-date.
Unfortunately, for LinkedIn, the access-token is instantly expired. You can even test it in the demo.
My question is: do you also retrieve expired access-token ? Is it related to some configuration in LinkedIn API (according to the documentation it expires after 60 days) ?
Many thanks for your help,
Nicolas
so im quite certain that you are talking to a V2 API from linkedin? if this is the case. then your access token is just fine.
the problem with linkedin's API is that a part of it (V2) is just for the partners of linkedin. you can become a partner by requesting it. but it will take you up to a month.
the V1 api is completely free to use after you authenticated a user.
if this is not the case, please provide more information about how you came to the conclussion that the authentication token you get is allways expired. because technically this isnt possible because the linkedin service generates one at the fly.
How are you?
Me..? Well, I'm having some trouble, haha!
I'm using a microservices API architecture on a project where the APIs and GatewayAPI is developed with Python's Pyramid framework, and the main frontend is built with React.
Simple workflow ilustration: https://imgur.com/ifRLLOo
The problem is: where do I safely store the authenticated "session data", like username, user_id, first_name? After logging in, I don't want to make new requests to the user's API just to get these information that will be constantly used.
I know I can store this coded data in the JWT token and store the token in the cookies or the localStorage, but is this the right place? And is this the right process?
If this is the right place, do I need, everytime, to send the decoded data to the frontend as part of the GatewayAPI response?
Thank you for the reading and I hope you guys can save me!
You can store the JWT in a cookie or localStorage it does not matter. I personally do so in localStorage.
Regarding your question about decoding the data, this is handled by the backend. All you need to do is include the JWT in every API call and the API will know which user is calling without the need to send the data back and fort.
I would also recommend you create tokens with an expiration date for added security.
For examples you can take a look at pyramid_jwt
I have an angularJS application whose authentication system is made with an access_token and communicating with a backend server written in Go
Therefore to authenticate the user, I have to add the access_token to each request ?access_token=SomeTokenHere or via a header Access-Token: SomeTokenHere
It works great.
The issue is that my backend serves protected images, and I cannot put the access token in the image src for some security reasons(If the user copy/paste the link to someone else, the access_token would be given too ...)
What I'd like to do is to inject a header containing my access token, but since the request is made from the browser it doesn't possible.
This could probably be possible with a cookie, but I'd to avoid using a cookie especially because the angularApp and the backend are not on the same sub-domain.
Another idea would be to create a directive that would get the raw data, and set the data to the image. First I don't know if this is possible and is it a good idea for hundreds of images in the webpage ?
If you have any idea, I'd be glad to hear from you !
Thanks
It is typical problem, and fortunately it was already solved - for example on Amazon S3.
Solution idea is simple: instead of directly using secret key - you can generate signature with access policy, using that key.
There is good algorithm designed especially to generate signatures for this purpose - HMAC
You can have one secret key on your server and use it to sign every image URL before it would be sent to client, also you can add some additional policies like url expiration time...