I would like to do social-login with LinkedIn. I am using the very convenient package react-social-login (see demo here : https://deepakaggarwal7.github.io/react-social-login/).
In the demo, and in my implementation, everything works fine, and I am able to retrieve the access-token and expiration-date.
Unfortunately, for LinkedIn, the access-token is instantly expired. You can even test it in the demo.
My question is: do you also retrieve expired access-token ? Is it related to some configuration in LinkedIn API (according to the documentation it expires after 60 days) ?
Many thanks for your help,
Nicolas
so im quite certain that you are talking to a V2 API from linkedin? if this is the case. then your access token is just fine.
the problem with linkedin's API is that a part of it (V2) is just for the partners of linkedin. you can become a partner by requesting it. but it will take you up to a month.
the V1 api is completely free to use after you authenticated a user.
if this is not the case, please provide more information about how you came to the conclussion that the authentication token you get is allways expired. because technically this isnt possible because the linkedin service generates one at the fly.
Related
I'm trying to validate a token (just using postman), final solution would be written in Java (spring). The problem is I don't find the exact URL to validate the token against AAD.
I found this helpful article : https://learn.microsoft.com/en-us/answers/questions/884100/azure-ad-access-token-validation.html
And in that article they said to validate the token against this URL: https://login.microsoftonline.com/<<<tenant_id>>>/v2.0/
The problem is I got 404 when I hit that URL.
I also got "200 OK status" when I hit this URL https://login.microsoftonline.com/<<<tenant_id>>/oauth2/v2.0/authorize no matter what I put in the token !! Which is strange!
This link works for me: https://login.microsoftonline.com/<<<tenant_id>>/discovery/v2.0/keys - and I get back a very descriptive JSON, but I am still stuck.
Could you please provide me the URL which would give me 200-ok when I have a valid token, and also to give me a bad-invalid response when I have a wrong token ?
I found some sample Postman requests here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc?WT.mc_id=AZ-MVP-5003203
I got same behavior with them.
Thank you.
There is no introspection endpoint listed in https://login.microsoftonline.com/common/.well-known/openid-configuration
This authorization-server obviously supports JWTs only. To validate access-tokens, you'll have to configure a JWT decoder/validator in your Java app.
With Spring, this is done by configuring a JWT resource-server. Sample in this article. Skip the part about Keycloak and use
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/common in properties
not sure this authorization-server provides with user roles or groups or whatever claim to map spring authorities from (try to submit an access-token to https://jwt.io to see if you have a claim like that)
so, long story short, I'm working on my portfolio and I want to retrieve my LinkedIn recommendations from my profile, I googled but all I could find was about retrieving info from logged-in users using OAuth, is there a way to get a personal API key to retrieve my profile's info for everyone to see on my portfolio?
I don't think this is important but I'm using React.
I hope I made myself clear, I'd appreciate your help!
Well, when you do the 2-legged OAuth flow, you receive a response that includes an access_token that you can use to make api requests. Here is the documentation.
So in your react site, whenever you fail the request (which means your access token expired), you can just resend the request and get the new access token. This access token acts like an api key, and the 2-legged OAuth flow can be entirely automated without user intervention. These tokens have a 30 minute lifespan, so maybe you can just set an interval to fire every 30 minutes to refresh the token.
I'm getting invalid_grant error when creating a draft.
Scopes I requested:
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/contacts.readonly
https://www.google.com/m8/feeds/
https://mail.google.com/
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/calendar
I use python library to interact with Gmail API (
The main problem is that this sometimes works as expected, sometimes it doesn't work and I don't know why.
My code look like the one from example here: https://developers.google.com/gmail/api/v1/reference/users/drafts/create
Based from this thread, the possible problems that cause invalid_grant errors are if your server's clock is out of sync with NTP and/or you've exceeded the refresh token limit. This page also suggested to make sure that you specify access_type=offline in your request.
Here's a related SO post for a checklist of potential causes for the problems:
Server clock/time is out of sync
Not authorized for offline access
Throttled by Google
Using expired refresh tokens
User has been inactive for 6 months
Use service worker email instead of client ID
Too many access tokens in short time
Client SDK might be outdated
Incorrect/incomplete refresh token
User has actively revoked access to our app
User has reset/recovered their Google password
Hope this helps!
My app uses JS Facebook API to use Facebook as a login/pass. Here what happens when you try to login.
User click on the Facebook Login Button
Facebook Authenticates
If Success. I grab the Facebook ID and Name of the user
Calls on my REST API on my APP to check and see if the that FBID is registered in my system.
If Registered, I write the session to verify that the user is authenticated.
This is great since I don't have to store usernames and password. But I am worried that someone will just use a REST API debugger like POSTMAN in chrome and just send a Facebook ID and the name of the user and they will be authenticated.
My question is what is the best way to secure my end that will prevent apps like POSTMAN to just input the fields needed to authenticate? Am I missing something? Can anyone recommend a strategy for this?
Or is using CSRF token the only way to combat this? I am using FuelPHP as a backend and doing a single page app using AngularJS with NgRoutes. But every time I enabled the CSRF on fuel, the token passed does not match what it was in the back-end.
I am under the impression that this is due to that the javascript token function is in the main page, where the ng-view. I know this might have something to do with the ngRoutes.
http://fuelphp.com/docs/classes/security.html
Use Fuel's Auth package. It has Opauth integration which does all the above, and for an entire list of social media platforms, not only facebook.
Always try not to reinvent the wheel, assume someone else has had the same challenge, solved at, and shared the solution with the community.
I have an application that uses Salesforce services using a Remote Access Application. This is working fine so far.
However, my understanding is that even a refresh token will eventually expire, and I believe will return the following as part of a 404 (?):
"error_description":"expired access/refresh token"
My question is this: What is the best practice to test this scenario? I obviously know that the normal refresh token flow is working fine, but how do I appropriately test the negative result?
You can login to the web interface and goto setup -> my personal information. one of the related lists on this page is called remote access, here you can see what refresh tokens have been issues, and revoke any of them.
Go To the Setup and search for the apps
->Go to the connected apps under the managed apps
->select your app, there you can see the edit policies
->click on edit policies -> check for the refresh token policies under OAuth policies