article

vb avatar image
vb Posted · · Byrne Reese edited ·

How to generate an access and refresh token and how to use them efficiently

Most developers who implement OAuth will eventually encounter the need to keep auth tokens fresh, and to prevent them from expiring. This article will guide developers on the recommended techniques to keep authentication credentials valid and fresh.

Using Access Tokens

An "access token" is what a developer presents to the API via an HTTP Authorization header to properly authentication to the API.

  • Access tokens expire automatically after one hour (3600 seconds).
  • Access tokens can be refreshed using "refresh tokens."

Using Refresh Tokens

Renew access token and refresh token for every 1 hour. The expires_at time allows a developer to know when you need to refresh an access token and can signal the developer when they should proactively use the provided refresh token to generate a new access token prior to the access token expires. This will ensure that any access token you have stored on behalf of a customer will always be valid, and will not result in the RingCentral API returning an HTTP Status Code of "401 (Unauthorized)."

  • Refresh tokens expire after 7 days.
  • You can only use a refresh token to refresh an access token that has not expired.
  • Immediately upon refreshing an access token, the older/previous token will be invalidated. In other words, there can only be one active access token at a time for user and app.

Using Access tokens in implicit grant applications

If you are unable to store/persist auth tokens on the backend, and create an external process to keep them fresh, e.g. a stateless or single page app, we recommend you pass the refresh_token_ttl=0 parameter when you call the /oauth/token API so that refresh tokens are expired immediately after creation. This will prevent anyone else from intercepting the refresh token and keeping it alive without you knowing.

Refresh Strategies

Access tokens last only one hour, while refresh tokens expire after 7 days. Given this, consider implementing a refresh strategy that minimizes the frequency of refreshing. For example:

  • Refresh access tokens on demand while the refresh token is still valid.
  • Create an offline service to refresh tokens once a week, and prior to the refresh token expiring.

Using RingCentral SDKs to help refresh access tokens

We provide developers with SDKs for all major programming languages that automatically handle the reuse of tokens across instances.

aaa
7 comments
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

This is not a great developer experience. We deal with a lot of cloud marketing data platforms, and none of them have such a rigorous authentication process.

For instance, Facebook tokens are valid for 60 days for users and indefinitely for businesses. Twitter tokens do not expire. A 1 hour expiration with a 1 week deadline for refresh tokens is just hostile to platform developers and unhelpful.

This is business phone call data we're dealing with here, not Top Secret security data.
3 Likes 3 · ·
Totally agree. My experience with this API has been one of frustration compared to others.

The fact I have to have my end users authenticate with RingCentral instead of allowing me as a super admin via server side only on some features is also annoying the hell out of my end users.

I'm integrated with other platforms like RightSignature and it's so much easier. Thank god not every service requires this. If I had known of these issues (even after using the dev platform some problems I didn't find until we went live) I would not have moved off our old internal phone system this year.

While the API team is very responsive to questions and even personally contacted me to help resolve a major issue I was having they do seem to be short staffed if they can't push out updates in a timely manner. It's been over a year for an issue that was first reported (at least publicly on this forum) of not being able to set the caller id on RingOut (except a crazy work around of setting the extension caller id and then having to update it back again after the call connects).
2 Likes 2 · ·
Could not agree more, I have worked with Twilio and had things up in running in 30mins or so...Get with it RC!
2 Likes 2 · ·

Second that. Too many authentication problems. Very hard to figure out when a 401/400 error occurs.

1 Like 1 · ·
I'm testing this on my own system, and it appears even after a refresh, I can still use the old Access token until it hits its original expiration date. Is that how it's supposed to work?

I just want to make sure that if someone makes a call right when a refresh is occurring such that they grab the existing Access Token, then the refresh occurs, then they actually make the API call, it won't error out.
0 Likes 0 · ·
I think getting a new access token by using a refresh token will not automatically revoke the old access token it it's not expired. You should always check if the access token expires, then use the refresh token to get a new access token.

If the access token is still valid while you request for a new access token, you can call the revoke token endpoint to revoke the old access token.

Using RingCentral SDKs would be the most convenient way to handle authentication. Check out these tutorials to see if you can use in your app.

JS SDK:  https://ringcentral-tutorials.github.io/password-flow-authentication-nodejs-demo//?distinctId=139891...

Python SDK:  https://ringcentral-tutorials.github.io/password-flow-authentication-python-demo/?distinctId=1398916...

PHP SDK:  https://ringcentral-tutorials.github.io/password-flow-authentication-php-demo//?distinctId=139891602...

+ Phong
0 Likes 0 · ·
Thanks, Phong.

I'm going to discuss our particular situation (developing in C#, running multiple WebAPI instances with a multi-user environment) directly with my RingCentral technical contact, and if anything interesting comes up, I'll post it here in case anyone else has the same situation.
0 Likes 0 · ·

Article

Contributors

ByrneReese contributed to this article Leonard3223650020 contributed to this article vb contributed to this article