You shouldn’t design your application based on specific lifetimes of access tokens. Just assume they are (very) short lived. However, after a successful completion of the OAuth2 installed application flow, you will get back a refresh token. This refresh token never expires, and you can use it to exchange it for an access token as … Read more
Update: things have changed since I wrote this post in January: MSFT released their official OpenID connect client middleware and I worked hard with @manfredsteyer to adapt the OAuth2 authorization server built in Katana to OpenID connect. This combination results in a far easier and far more powerful solution that doesn’t require any custom client … Read more
This answer is outdated as the Google+ API is being deprecated on 3/7/19 You need to add the Google+ API to the list of enabled APIs on the Google Developer Console (under APIs) Note: If you want to see the real error message, use the traceback to look at the content of the response variable … Read more
Let us take a simple example to differentiate authentication code vs access token. You as a user want to try a new Facebook app called Highjack. So you click on the application and the Highjack app asks you to log into your Facebook account. When you are done, Facebook generates an authentication code for you. … Read more
The client credentials flow only requires the client_id and client_secret. The Resource Owner flow requires the user’s password. The client credentials flow allows an application to get a token w/out the context of the user.
You should implement your own ProfileService. Have a look in this post which I followed when I implemented the same: Extending Identity in IdentityServer4 to manage users in ASP.NET Core Here is an example of my own implementation: public class ProfileService : IProfileService { protected UserManager<ApplicationUser> _userManager; public ProfileService(UserManager<ApplicationUser> userManager) { _userManager = userManager; } public … Read more
I’m facing similar issues, and am also relatively new to OAuth. I’ve implemented “Resource Owner Password Credentials” in our API for our official mobile app to use — the web flows just seem like they’d be so horrible to use on a mobile platform, and once the user installs an app and trusts that it’s … Read more
I was reading an article the other day by Taiseer Joudeh and I find it very useful he said: In my own opinion there are three main benefits to use refresh tokens which they are: Updating access token content: as you know the access tokens are self contained tokens, they contain all the claims (Information) … Read more
I figured out the answer; rather than adding additional parameters to the redirect URL, you can add a state parameter to the request to https://www.facebook.com/dialog/oauth: https://www.facebook.com/dialog/oauth ?client_id=MY_CLIENT_ID &scope=MY_SCOPE &redirect_uri=http%3A%2F%2Fwww.mysite.com%2Foauth_callback%3Ffoo%3Dbar &state=6234 That state parameter is then passed to the callback URL.
Here’s information on OAuth 2.0 token refresh. Expires In Definition The OAuth 2.0 standard, RFC 6749, defines the expires_in field as the number of seconds to expiration: expires_in: RECOMMENDED. The lifetime in seconds of the access token. For example, the value “3600” denotes that the access token will expire in one hour from the time … Read more