Using multiple devices and OAuth

[Greg Fiumara]

Most of the time, I only use a single device and single account for testing. However, there comes a time when I need to use multiple devices or simulators in the same day. Whenever I sign into one device, the OAuth token on all the other devices I'm logged into is rejected by Untappd. The first-party Untappd app stays logged in throughout.

Is this expected behavior?

Thanks,
-Greg

--
Greg Fiumara

[Greg Avola]

Greg,

Are you using the same Client ID / Client Secret on all device? OAuth tokens don't expire , so unless you are changing Client ID / Client Secret - that token is valid forever.  

Greg

--
Greg Fiumara


--
You received this message because you are subscribed to the Google Groups "Untappd API Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to untappd-api-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

--

Greg Avola

Co-Founder / CTO

Untappd

gr...@untappd.com

[Greg Fiumara]

On 2/13/16, 4:12 PM, "Greg Avola" <untappd-api-d...@googlegroups.com on behalf of gr...@untappd.com> wrote:

>Are you using the same Client ID / Client Secret on all device? OAuth tokens don't expire , so unless you are changing Client ID / Client Secret - that token is valid forever.

Client ID and Secret are constant (same app on all devices). Are you implying that 'access_token' generated when signing in on one device be synchronized to other devices for a given Client ID/Client Secret pair? I'm requesting a new access_token for each sign in.

[Greg Avola]

When you perform the oauth dance, you it checks to see if you have authorized the app before on your Untappd account. If you have - then it returns that auth token (same one as sent before). If you revoke your access to that app, it removes the token and re-auth with a new token.

Greg

--
You received this message because you are subscribed to the Google Groups "Untappd API Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to untappd-api-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Greg Fiumara]

On 2/13/16, 5:46 PM, "Greg Avola" <untappd-api-d...@googlegroups.com on behalf of gr...@untappd.com> wrote:

>it checks to see if you have authorized the app before on your Untappd account. If you have - then it returns that auth token

I'm not seeing that behavior:

1. Access token on Device #1 ends with A44C.
2. Install app fresh on Device #2 and sign in, access token received ends with 9F7F.
3. Perform operation on Device #1, access denied.
4. Re-auth with Device #1, access token ends with 5F7F.
5. Perform operation on Device #2, access denied.
6. Re-auth with Device #2, access token ends with 52EC.
7. ...

Is there anything you can think of that might be incorrect with my setup, other than altering the Client Secret/Client ID pair?

[Sami Rajala]

Had the same problem. Happened when I used response_type=code for /authenticate uri. Using response_type=token solved the issue.

-Sami

[Greg Fiumara]

On 2/13/16, 11:50 PM, "Sami Rajala" <untappd-api-d...@googlegroups.com on behalf of sami....@gmail.com> wrote:

>Happened when I used response_type=code for /authenticate uri. Using response_type=token solved the issue.

Thanks for this info. Sounds like the issue goes away if you use client-side authentication. I am using -- and prefer to continue to use -- server-side authentication:

1. Request authenticate/?response_type=code&client_id=...&redirect_url=<REDIRECT>
-> User is presented with first-party website to login.

2. On login, website redirects to REDIRECT?code=<CODE> (third-party) with access **code**
-> Third-party requests authenticate/?response_type=token&client_id=...
&client_secret=...&redirect_url=...&code=<CODE>
-> First-party responds with JSON containing access **token**
3. Third-party delivers access token to client.

What I understand is that the token delivered in step 3 should be the same across logins to multiple devices, but it is not in my situation.

-Greg



--
Greg Fiumara

[Greg Avola]

Hey Greg & Sami,

I'll try to fix this week, ideally it should work both ways. However on other OAuth Services, when you re-auth the old token doesn't work anymore - I assume for security reasons. You don't have multiple tokens under 1 app (it;s one token per user, per app). Thoughts?

Thanks,

Greg

-Greg



--
Greg Fiumara

--
You received this message because you are subscribed to the Google Groups "Untappd API Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to untappd-api-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Greg Fiumara]

On 2/15/16, 9:13 AM, "Greg Avola" <untappd-api-d...@googlegroups.com on behalf of gr...@untappd.com> wrote:

>You don't have multiple tokens under 1 app (it;s one token per user, per app). Thoughts?

One token per app makes sense to me: it's less info to store on your end, and like you mentioned, it's easy to revoke access everywhere in the event of a security problem.

With one token per clientID/clientSecret, the first login request on a device would display the, "are you sure you want to authorize XYZ?" interstitial. Login requests on subsequent devices would dismiss immediately after the user logs in, since they've already acknowledged authorization. This aligns with Twitter's sign-in flow[1].

FWIW: I just re-authed my Foursquare account with my API clientID/clientSecret on two devices, and the OAuth token provided was identical for both.

Thanks for looking into this!
-Greg

[1] https://dev.twitter.com/web/sign-in/implementing ("Step 2")


--
Greg Fiumara

[Sami Rajala]

Here's a few options:

1) Change the server-side authentication to work as the client-side does; reauth returns the old token which never expires (not a good idea) 

2) Provide a refresh token for getting a new access token 

 - you can have shortlived access tokens 

 - apps can use the refresh token whenever the access token expires 

 - it's up to you if reauth invalidates the old token or just returns the same token with an expiration date

[Greg Avola]

Hey Sami,

We can't do refresh tokens for this right now - but I think that both syncing the both elements together works for me - I'll tag a ticket to this and let everyone know.

Thanks,

Greg

--
You received this message because you are subscribed to the Google Groups "Untappd API Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to untappd-api-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Greg Fiumara]

On Mon, Feb 15, 2016 at 12:24 PM, Greg Avola <gr...@untappd.com> wrote:
> We can't do refresh tokens for this right now - but I think that both
> syncing the both elements together works for me - I'll tag a ticket to this
> and let everyone know.

I wanted to thank you for fixing this. It's been working for quite a
while now, and it's made my life *a lot* easier. It also enables some
new classes of software.

Thanks again,
-Greg

--
Greg Fiumara

[Greg Avola]

Anytime Greg!

Greg

--
Greg Fiumara

--
You received this message because you are subscribed to the Google Groups "Untappd API Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to untappd-api-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.