I am working on an app using NativeScript and am using Microsoft OAuth2 to authenticate the user, send emails and access SharePoint with it. My problem is that the authentication token I get expires after 1 hour so the user has to login again over and over. A temporary solution I am using is refresh_token which lasts longer (I believe 14 days by default and up to 90 days) but still that is not what I would like. My ideal solution would be an option to stay signed in but it does not seem to exist at this moment.
I have read this page https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-token-session-sso and am not sure how to extend the lifetime of my token. If I can extend it at least for a year or six months, that would be great but I don't know how to do it.
My app is not registered in Azure but in apps.dev.microsoft.com and I have looked in the manifest but haven't found anything I could write to change the token type or its lifetime.
Related
We are using Identity Server 4 in an aspnetcore server app with oidc-client.js lib in an angular client. There is a 15 minute token refresh. This is mostly working very well.
Hopwever, for a subset of users when the refresh activity takes place there is a "login_required" response. I am assuming this is because the ID4 server thinks the session cookie has expired? However, the user had just logged in 15 minutes prior and the cookie should have a lifetime of 10 hours (ID4 default setting).
Does anyone have an idea of what may be causing this? Alternatively is there any logging setting I can use to get more debug info?
Thank you!
We tried various browsers and logins but the behaviour is consistent for these users.
refresh token flow so you may be using code flow with angular
so you have one client also for angular for login.
I faced this same issue because the same user logged in with multiple pc so when anyone logged out of his session all same users also logged out in the code flow.
I'm looking for a way to silently verify that a user is still present in Active Directory after initially using AD to authenticate them.
My code for the user authentication looks like this:
var authenticateResult = await app.AcquireTokenAsync(settings.Scopes, username, UIBehavior.ForceLogin, "");
Where app is an instance of PublicClientApplication and username is a previously remembered username, if any, otherwise blank.
If this authentication succeeds, my app creates a persistent JWT token, stores it in local preferences, and uses that token for a long time (up to 60 days). If my app is closed and re-opened during that time, it re-uses the stored token and skips the AD authentication.
The problem I'm having is that my customer wants the app to check periodically (every hour or so) to ensure that the user's Active Directory access is still valid, and they want to do this without interrupting the user or presenting any UI. I tried using UIBehavior.NoPrompt, but that didn't work, I still got a prompt. I also tried using app.GetAccountAsync or GetAccountsAsync, since all I really need to do here is to ensure that the user's account still appears, but this doesn't work either (the calls return nothing).
I proposed to my customer that we simply lower the lifetime of the JWT token, but they don't want to do this. They want their users to be able to keep using the app for 60 days without logging in, unless they remove the user from AD during that time.
What's the best way to accomplish this?
The best way is to use refresh token.By default, access tokens expire after 1h. So it is recommended forcing a refresh every 30 min, or half the lifetime of the AT when this is a custom lifetime. The default value of refresh token is 90 days, 14 day inactive sliding .
So, If we want users to keep using the app for 60 days then we need o stop fetching refresh token on 60th day.
If we want to check user is in AAD programmatically. Then we can use MS Graph. Please go through Ms graph document for more details.
The C# code snippet is available below,
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var users = await graphClient.Users
.Request()
.GetAsync();
Ms Graph sample where we can test the above snippet is here.
For a calendar app, I want to sync users calendars (events) to my database. For now, I need title, start, end, recurrence and reminders/alerts. I am thinking, I will get these information from app and store it to a database. To make things easy (implementing recurrence maybe hard), I thought of using a hidden Google Calendar account on the server as a database.
Server will use a "hidden" Google Calendar account
App (iOS) will get calendar information from user's iCal via EventKit
Passes server this information which is saved to Google Calendar
So 1 user calendar becomes 1 hidden google calendar
But I think I might encounter some problems with API limits?
I might need to re-authenticate to refresh the access token? Is there a token I do not have to refresh?
Is the limit on the number of calendar I can have 10,000? What if I need more? Isit even possible? Or is it 10,000 for "a short period of time".
Is this possible? Or is the only option a self build system.
The quota for the Google calendar API is Queries per day 1,000,000 if you go over that you can always request additional quota as far as I know it doesn't cost anything to extend your quota.
Once you have authentication to a user Google calendar account you will receive a refresh token. The refresh token can be used to gain a new access token when ever you need to access it. Refresh tokens don't expire unless a user removes your access.
I have a Asp.net MVC application that uses Azure AD and OpenID Connect OWIN middlewares to handle authentication. Everything works fine except for one thing : if a user is already logged-in on another Microsoft Application lets say a Office 365 account or maybe a live mail account, when trying to login it recives a page saying that it is not allowed to log into my app, which is correct, but some how I need to catch that situation in my code to allow the user to sign in with a different account. Is there a way of doing that? This is by design? I mean : the user have to log in only with a live/azure account at the time ? I couldn't find any documentation about this.
As of today there is typically one user at a time, but we will soon support for you a way to select a specific user instead of automatically signing you in with the most recent one.
One way you can work around this today is by injecting the parameter "prompt=login" in your sign in requests. You can do that in the RedirectToIdentityProvider notifications, similarly to what is showin in http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/ for domain_hint. This will cause the sign in experience to always start with a fresh prompt even if the user is already signed in. The draw back is that you'll never get SSO this way. Hopefully our account switiching feature will become available soon, keep an eye on http://blogs.technet.com/b/ad/ for announcements
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/