I am trying to refresh the access token using the refresh token:
curl https://login.salesforce.com/services/oauth2/token -d "grant_type=refresh_token&client_id=3MVG9pHRjzOBdkd.WU9DLyfznP.sjOJRXXX_00nLDYSpM_0K7zAOsLrRKf6IWmCv6MxeTorXL7Zzaaea8IXXX&client_secret=3231123171523457&refresh_token=5Aep861VUUSqKxtr91VaZ7Zh54RmFqHE6zD4htOq6vY9edPgkgm9ZeFPwHIzQQvR__XypcEvWnXXX==&format=json"
But I keep getting the error "error_description":"expired access/refresh token"
Anyone have any idea?
I know this is old, but for people that may stumble on this.
I believe this issue is that you can only have 5 access grants per applications. After this it starts revoking refresh tokens from the oldest one. More info here:
Manage OAuth Access for Your Connected Apps
invalid_grant —expired access/refresh token | Issue #80
You have the correct syntax for using a refresh token. Make sure all of your parameters are URL encoded, since in your example your refresh token has = instead of %3D.
You can also delete the user's refresh token by going to that user's User Detail page inside of setup and revoking the "Remote Access" near the bottom. Then obtain a new refresh token by going through the oauth flow again and try it in the curl command.
Related
I have a single-sign-on scenario with Microsoft Teams. See full description in the documentation: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
I am getting an access token by "trading" the "teams" token for an access token.
My question is, how do I refresh this access token? In single-sign-on scenario the "refrehs_token" is not returned (?), so normal OAuth2 refresh flow does not seem to be possible.
Imagine I traded it once, and got the access token that expires in say 2 hours. I use it to access graph API (or whatever), and then the token expires.
What should I do to get a new access token? Can I just ask Teams for a fresh "teams" token and trade it again in case the old one expired? Teams App takes care of refreshing its own tokens, right? When should I do this (when I get "access denied", or just if I see that the token has expired?
Looks like I found the reason - you must pass offline_access as scope request then you get back the refresh_token. That was my issue actually, and it is documented, I just did not read carefully:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
refresh_token The refresh token for the requested access token. The calling service can use this token to request another access token after the current access token expires. The refresh token is only provided if the offline_access scope was requested.
I am trying to acquire token by aquiretokensilent after login and then have to do authorization in multiple modules.As documentation of MSAL-browser acquiretokensilent will automatically take care of refresh token.In network tab also i am able to see refresh token.But how to use it, does it automatically replace access token or do i need to do something extra and how i can see that refresh token in the console converting to access token after expiry of access token.I have read lot of documents but not got clearity how to use it.
A refresh token is used for renewing an access token or request access tokens with other scopes.
This official doc indicated that how a refresh token renews/requests a new access token and a new refresh token at the base layer.
And yes, you should call aquiretokensilent before API call, if the access token exists and it is not expired, this function will reply the access token to you from local cache directly, if not, it will request a new access token by refresh token from Azure AD.
For details, see this doc.
I had an issue regarding the logout . Once i am done with my logout and it's not popping me agin to enter the user name and password , why is it so ?
ttps://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2-vanilla
https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
is it not the expected behaviour ? If so please suggest me what to do when i want to do the complete logout that means we have to delete refresh tokens as well i guess. the reason of not asking the username and password in my perspective , It's refresh token is valid and once i click teh login button it directly redirects me to the greeting page with generating the new access token with the help of refresh token.
But i would like to do the complete log out i.e, once the use clicks the logout and user should be able to enter his credentials to get the new refresh token and access token irrespective of the old refresh token expiration.
I really appreciate your help..!!!!
Thanks
Prince
I would suggest posting all of the relevant HTTP traffic flow between client (browser) and server, both the redirects and "back end" traffic.
So, basically take the approach of knowing little about the actual implementation of the client and server, and just focus on the OAuth2 authorization code flow, its a protocol after all. Without this we'll be stabbing in the dark.
In terms of an answer, as a guess the client application may be passing a cookie to the authorization server and your just not seeing it. This is exactly what happened to me with Spring Boot and WSO2 IS 5.1.0
It seems there is a problem in pulling the Page insights data I'm admin of using my App access token.
I have been able to fetch my user and post related data but I'm geeting an 'OAuth Exception' (Invalid query) when I try to find my page insights.
The same query works wonderfully when I try accessing insights using the 'User Access Token' generated by Graph API.
As I want to generate an extended token and then pullung page-insights, that's why I'm try accessing data using App Access token.
Please let me know what's wrong.
Page insights simply aren't supposed to work with the app access token; you need to use a page access token, or a user access token from a page admin that has granted permission.
Go get yourself an extended page access token, as described here: https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension
Those do not have a default expiry. (Although they may become invalid for other reasons, f.e. if the password of the user account that was used to request it gets changed.)
I was working in my sandbox environment trying to figure out the Chatter API calls - I had saved my refresh token during my testing but it was lost sometime later.
Now when I try to hit the API I am receiving the following error:
"expired access/refresh token"
How do I get around this now? I do not have a refresh token so i cannot make a request to refresh my token, and i'm not sure how to expire / delete / revoke it via the UI so that I can proceed with my testing.
my cUrl call is as follows:
curl
--form client_id=3MVG92.u...2KycWe
--form client_secret=668...930
--form grant_type=password
--form username=mike....com
--form password=*#()#*#$#
--proxy 127.0.0.1:3128 --insecure
https://test.salesforce.com/services/oauth2/token
Things I have tried:
Reset my password
Delete remote access and create a new one with new client_id / secret
Reset my security token
Does anyone know how to expire the token or get a new refresh token via the API or UI in salesforce?
To revoke access from the UI, click on the following in the menu at the top right of Salesforce:
Your Name | Setup | My Personal Information | Personal Information and clicking Deny
More info here:
https://na12.salesforce.com/help/doc/en/remoteaccess_about.htm
What scope are you using? If you specify a scope (like 'api'), you'll need to explicitly request a refresh token by also specifying 'refresh token' in your scope (space delimited). More info on scopes here:
https://na12.salesforce.com/help/doc/en/remoteaccess_oauth_scopes.htm
Unlike Google, Salesforce will provide the refresh token multiple times, regardless of whether the user has just approved the app or not.
I've been playing around with this using Google's OAuth playground. You can click the gear at the top right and specify the values for Salesforce's services.
Authorization endpoint: https://login.salesforce.com/services/oauth2/authorize
Token endpoint: https://login.salesforce.com/services/oauth2/token
Client ID/secret: from Salesforce's 'consumer' key/secret info in the Remote access Config
You'll need to use 'https://code.google.com/oauthplayground/' as your callback URL in your app configuration.
This can be done in your account under:
My Settings | Select Personal | Advanced User Details | OAuth Connected Apps
Exact steps at salesforce can be found here