Best practise for Oauth2.0 Token generation API

Report Inappropriate Content · 08-03-2017 04:44 AM

Hello,

We have created on our edge OAuth2 access token generation API.
High level description:

Retrieve the Access Token from Authorization Server (The edge)
Use the Bearer Token to access the API Resource

I can see a pattern. Most of the internal business unit using our APIs do not implement a best practice. i.e. our "token_generater" API base on the credential is always called no matter if the token is still valid or not. That generate exponential calls to the particularly API. note: we have a 15m token expire.

Furthermore, we often have the question "Why we ca not have a long lasting either never expire token for internal business unit that we trust?"

We trying to educate the consumer to implement the code in a way, that you only make the call if the token is not valid... But that is not working for the last years...

What is the recommendation on this case?

Should we have never expire token for trust internal consumers meaning expires only if the dev_app expires or token is revoked?

Br,
João Paulo

snehal_chakrabo

Hi @joao.paulo

A never expire token is as good or bad as a password. Hence having a never expire token is not recommended. What i will suggest is for internal consumers you can stick to Basic Authentication approach over a 1 way TLS connection, considering both edge & the systems are in the same network. In case edge is on cloud , i will suggest to have a 2 way TLS connection

madhans

Acquiring a token for every API call or frequently even when the old token is valid spoils the benefit of OAuth. Remember, the idea of OAuth is to not use your client credentials for every call like Basic Auth.

A) You can use Analytics in Edge to identify the clients using the anti-pattern and work with them to change it. This can be treated as a security violation.

B) You can increase the validity of the access token but not make it a long lived token. For long lived token refer C.

C) An other option is to issue a refresh token. Client credentials flow optionally allows a refresh token too. This is the long lived token you are looking for.

Report Inappropriate Content

Perform the following steps to generate OAuth2 credentials. ... tab below and follow the instructions to generate the OAuth2 client ID and client secret: ... then the client library-based approach described above is likely better. .... Another good practice is to allow service accounts to access only one Google ... lenovo support number

Report Inappropriate Content

developers build applications using best practices for authentication, ... Now, Stormpath makes it easy for developers to generate OAuth 2.0 access tokens. ... understand the functionality required for a good token management system. ... The Access Token grants access to a protected resource or API. here i also develp a small website on quickbooks support in web2.0 To begin, obtain OAuth 2.0 client credentials from the Google API Console. ... It is a best practice to use well-debugged code provided by others, and it .... without using a library that abstractstoken creation and signing,