search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
230 stars 108 forks source link

How to get refresh token for more than 1 hour #110

Closed thebatmanreturns closed 4 years ago

thebatmanreturns commented 4 years ago

Hi, how can I get the refresh token for more than 1 hour? 

try {
      $newToken = $oauthClient->getAccessToken('refresh_token', [
        'refresh_token' => $_SESSION["refreshToken"]
      ]);

      // Store the new values
      $this->updateTokens($newToken);

      return $newToken->getToken();
    }
    catch (League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) { 
      return '';
    }
hajekj commented 4 years ago

Refresh tokens are usually valid for 90 days, access tokens are valid for 1 hour unless set otherwise by tenant policy in Azure AD.

thebatmanreturns commented 4 years ago

Hi, I'm using the below code to get the refresh token, however, my session is getting expired after 1 hour. Don't know what's happening.

  $now = time() + 300;
  if ($_SESSION["tokenExpires"] <= $now) {
    // Token is expired (or very close to it)
    // so let's refresh

    // Initialize the OAuth client
   $oauthClient = new \League\OAuth2\Client\Provider\GenericProvider([
                'clientId'                => OAUTH_APP_ID,
                'clientSecret'            => OAUTH_APP_PASSWORD,
                'redirectUri'             => OAUTH_REDIRECT_URI,
                'urlAuthorize'            => OAUTH_AUTHORITY.OAUTH_AUTHORIZE_ENDPOINT,
                'urlAccessToken'          => OAUTH_AUTHORITY.OAUTH_TOKEN_ENDPOINT,
                'urlResourceOwnerDetails' => '',
                'scopes'                  => OAUTH_SCOPES
              ]);

    try {
      $newToken = $oauthClient->getAccessToken('refresh_token', [
        'refresh_token' => $_SESSION["refreshToken"]
      ]);

      // Store the new values
      $this->updateTokens($newToken);

      return $newToken->getToken();
    }
    catch (League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {
      return '';
    }
  }

How can I extend the token lifetime?

hajekj commented 4 years ago

I don't think this has anything to do with the library. Rather PHP session's configuration, can you print your phpinfo(); configuration and paste the value of session.cookie_lifetime and also session.gc_maxlifetime?

thebatmanreturns commented 4 years ago

Hi, session.gc_maxlifetime (Local Value - 1440 and Max Value - 1440) session.cookie_lifetime (0 for Local and Max)

hajekj commented 4 years ago

updateTokens writes it into session? And when refreshing the refresh token contains data? Or it is empty? Do you get some error from AAD?

From: thebatmanreturns notifications@github.com Sent: Wednesday, July 8, 2020 6:57:43 PM To: TheNetworg/oauth2-azure oauth2-azure@noreply.github.com Cc: Jan Hajek jan.hajek@thenetw.org; Comment comment@noreply.github.com Subject: Re: [TheNetworg/oauth2-azure] How to get refresh token for more than 1 hour (#110)

Hi, session.gc_maxlifetime (Local Value - 1440 and Max Value - 1440) session.cookie_lifetime (0 for Local and Max)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FTheNetworg%2Foauth2-azure%2Fissues%2F110%23issuecomment-655638828&data=02%7C01%7Cjan.hajek%40thenetw.org%7C7a6093a0e30d4103c68308d823600951%7C67266d438de7494d9ed83d1bd3b3a764%7C1%7C0%7C637298242661617552&sdata=JLPbamEl4gkX%2BnBb%2BtcHksKmW%2BuVKDwLaImKDag97Bo%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB7TT6O7SXOX24MFJ6JQXCLR2SQQPANCNFSM4OUXPV3A&data=02%7C01%7Cjan.hajek%40thenetw.org%7C7a6093a0e30d4103c68308d823600951%7C67266d438de7494d9ed83d1bd3b3a764%7C1%7C0%7C637298242661627543&sdata=U5RrW%2FSxdDLfVzUs7RZL1j4U20yD3x4itrVCEQ4uPSQ%3D&reserved=0.

thebatmanreturns commented 4 years ago

You're right! Here is my updateTokens function. I'm not getting any response from the application, If I reload the page, I'm getting logged out from the app.

  public function updateTokens($accessToken) {
   $_SESSION['accessToken'] = $accessToken->getToken();
      $_SESSION['refreshToken'] = $accessToken->getRefreshToken();
      $_SESSION['tokenExpires'] = $accessToken->getExpires();
}
hajekj commented 4 years ago

When you reload the page or close the browser? Because the definition of session.cookie_lifetime set to 0 means that the cookie will expire when you close the browser (reference). Also your session._gc_maxlifetime set to 24 minutes could explain it as well (reference) because the runtime will wipe the session data with each request (gc_probability/gc_divisor).

Are you logged out because the $_SESSION variable is empty? If so, it's probably the above and not related to AAD and token expiration.

thebatmanreturns commented 4 years ago

Yes, you're right! My $_SESSION variable is empty. What parameters and what threshold should I set for the PHP session? Can you please help me?

hajekj commented 4 years ago

I would suggest raising the session.gc_maxlifetime variable to higher like 24h and see if that helps, probably the session.cookie_lifetime to the same value as well eg. 86400 (24h 60m 60s).

thebatmanreturns commented 4 years ago

It Worked. Thanks, Mate.