Refresh Token Expiring in 1 hour

New post

Comments

9 comments

  • tony-at-box

    Hi Dilip,

     

    Thanks for reaching out!

     

    From your message, it looks like you're able to generate your tokens and you're interested in how the lifetime of a refresh token works. 

     

    Box's refresh tokens are valid for a single refresh, for up to 60 days. What this means is that you can only use your refresh token one time before it expires [since a refresh generates both an access and refresh token, and only one of each can be active at a time], and that can be anywhere between the time of generation and 60 days later. An example of this follows:

     

    At initial OAuth Authorization, you generate AT1 [Access Token 1] and RT1 [Refresh Token 1].

    • AT1 is valid for up to 60 minutes, minute 0-60. RT1 is valid for up to 60 days, starting at minute 0.
    • [Theoretically] At minute 45, RT1 is used to refresh access. AT2 & RT2 are generated, invalidating AT1 & RT1.
    • AT2 is valid for up to 60 minutes, minute 45-105. RT2 is valid for up to 60 days, starting at minute 45.
    • At minute 120 [after AT2 is expired], RT2 is used to refresh access. AT3 & RT3 are generated, invalidating AT2 & RT2.
    • AT3 is again valid for up to 60 minutes, minute 120-180. RT3 is valid for up to 60 days, starting at minute 120.
    • RT3 isn't used until day 45 to refresh access. AT4 & RT4 are generated, invalidating AT3 & RT3. AT4 is valid for 60 minutes. RT4 is valid from day 45-105.

     

     

    Hopefully that makes sense!

     

    Thanks!

    -Tony

    0
    Comment actions Permalink
  • fargs

    Hi, I am struggling with this process. I have an asp.net mvc internal web application where users log in using their domain credentials. The web application has buttons that create folders in specific locations using specific naming conventions. The folders are all owned by an Admin box account which acts as a Service Account. The Service Account complete actions on the users behalf. The authentication should be very simple. I need one token for that admin account that does not expire. I would store this token securely so I am not sure what the security concerns are. JWTAuth seems to be the solution I want but I can't "AsUser" or UserClient with Standard Users. I'm not sure why that design decision was made.

     

    Currently, I am trying to work with all these changing tokens. Where is the best place to persist them? Every time they change, I need to make sure they are updated which is turning out to be very difficult. I feel like it should be much easier than this which is making me feel like I am missing something. 

     

    Any help would be greatly appreciated. 

    0
    Comment actions Permalink
  • raghava56

    Hi,

    I am struggling with this process but i am using API.

    after 1 hour my access token is expired. So i requested to server through api using Refresh token i.e..

    Request:- 

    Post

    https://api.box.com/oauth2/token

    Params :- 

    1) grant_type

    2) client_id

    3) client_secret

    4) refersh_token

     

    Result :

    {
    "error": "invalid_grant",
    "error_description": "Refresh token has expired"
    }

     

    Please help me how to overcome this problem.

     

    Thanks,

    Raghava

    0
    Comment actions Permalink
  • Bibek

    Hi,

    Like Tony mentioned, refresh tokens only expires if it is not used for 60 days or you used the wrong refresh token that is already been invalidated.

    You need to STORE the tokens for persistent use. Store it anywhere - text file, xml file better registry or keychain. Even better use some encryption package to encrypt and decrypt it while reading.

     

    OAuth2 is designed that way so that it is hard for hackers to hack!! So, it is difficult at first but once you are done with it, you are good for ever.  

     

    The point is if you ask for new access token using the current refresh token, then the resulting token (new AT and RT) must be saved. Once done, the old AT or RT is useless. Is this so hard to grasp?

     

    Thankfully SDK does it automatically so you just need to worry about saving and reading it. You don't need to worry about refreshing token and all those underlying ops that happens. Thanks to SDK. 

     

    thanks, 

    Bibek

    0
    Comment actions Permalink
  • raghava56

    Hi Bibek,

     

    First of fall thanks for your response.

    After 1 hour i am trying to get new AT and new RT using old RT that time only getting this json response like 
    Result:

    {
    "error": "invalid_grant",
    "error_description": "Refresh token has expired"
    }

     

    please explain difference b/w https://api.box.com/oauth2/token and https://www.box.com/api/oauth2/token.

    their is any difference between them ?

     

    Thanks,

    Raghava

     

    0
    Comment actions Permalink
  • raghava56

    Hi Bibek,

     

    I am storing both AT and RT. In my application  sending calls to Server continuously, after 1 hour AT expires then i made a call to server using RT and the response which i got was like this

    {
    "error": "invalid_grant",
    "error_description": "Refresh token has expired"
    }

     

    could you please explain me what should i do to get fresh AT and continue my activity.

     

    Thanks

    0
    Comment actions Permalink
  • Bibek

    Hi,

     

    Could you send me the whole request that you are using while refreshing the token. Please include header, URL, etc.

     

    thanks,

    Bibek

    0
    Comment actions Permalink
  • raghava56

    Hi Bibek,

     

    Thanks for your response.

    My request is

     

    var data = Encoding.ASCII.GetBytes(string.Format("grant_type=refresh_token&refresh_token={0}&client_id={1}&client_secret={2}",
    RefreshToken,ClientId, ClientSecret)); var request = (HttpWebRequest)WebRequest.Create(https://api.box.com/oauth2/token); request.Method = "POST"; request.ContentType = "application/x-www-form-urlencoded"; request.ContentLength = data.Length;  using (var stream = request.GetRequestStream())  {    stream.Write(data, 0, data.Length);  }  using (var response = (HttpWebResponse)request.GetResponse())  {    using (var responseStream = response.GetResponseStream())    {     using (var streamReader = new StreamReader(responseStream))     {      return streamReader.ReadToEnd();     }    }   }

     

    Thanks,

    Raghava

    0
    Comment actions Permalink
  • Bibek

    Hi Ragava,

    It's been a while I haven't used vanilla code to manage Authentication. I use Box .NET SDK to manage those automatically.

    But here is the code that I used to use :

     

    #region variables
     public static readonly string BoxUri = "https://www.box.com/api/oauth2/token";
     private readonly string client_id = "";
     private readonly string client_secret = "";
     public static string redirectURL = "";
     private string request;
     private string code;
     public static bool logged_in = false;
     private static HttpCookie _cookie;
     private static AdmAccessToken admToken;
    #endregion variables

     

    public AdmAuthentication(string refreshtoken)
    {
       string refresh_token = refreshtoken;
       this.request = string.Format("grant_type=refresh_token&refresh_token={0}&client_id={1}&client_secret={2}",         WebUtility.UrlEncode(refresh_token), WebUtility.UrlEncode(client_id), WebUtility.UrlEncode(client_secret));
    }

    public AdmAccessToken GetAccessToken()
    {
         return HttpPost(BoxUri, this.request);
    }

    private AdmAccessToken HttpPost(string BoxUri, string requestDetail)
    {
       WebRequest webRequest = WebRequest.Create(BoxUri);
       webRequest.ContentType = "application/x-www-form-urlencoded";
       webRequest.Method = "POST";
       byte[] bytes = Encoding.ASCII.GetBytes(requestDetail);
       webRequest.ContentLength = bytes.Length;
       using (Stream outputStream = webRequest.GetRequestStream())
       {
       outputStream.Write(bytes, 0, bytes.Length);
       }

       using (WebResponse webResponse = webRequest.GetResponse())
       {
       DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(AdmAccessToken));
       AdmAccessToken token = (AdmAccessToken)serializer.ReadObject(webResponse.GetResponseStream());
       return token;
       }
    }

     

     

    protected static bool checkToken()
    {
       AdmAuthentication admAuth = new AdmAuthentication(readCookie("RefreshToken"));
      try
      {
        admToken = admAuth.GetAccessToken();
        writeCookie(admToken.access_token, admToken.expires_in);
        HttpCookie _cookieRefreshToken = new HttpCookie("RefreshToken");
       _cookieRefreshToken.Value = admToken.refresh_token;
       _cookieRefreshToken.Expires = DateTime.UtcNow.AddDays(14);
        HttpContext.Current.Response.Cookies.Add(_cookieRefreshToken);
        return true;
     }

     catch
     {
        return false;
     }
    }

     

    This code is old but works well. You could check this code and figure out what went wrong on your code. If not i suggest to use the Box .NET SDK. 

    You don't have to use to to do everything, but just for Auth purpose, SDK is really helpful. 

     

    thanks,

    Bibek

     

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.