Breaking change: end-of-life for ROPC auth scheduled on March 31, 2024

  • 13 July 2023
  • 0 replies
  • 2050 views

At RingCentral we work hard to actively protect customers, access to their accounts, and their private data. Following the recommendations of our own internal security team, as well as the recommendations from the OAuth standards body itself, we are announcing that password-based authentication for the API is officially deprecated, and support for the password grant type will cease on March 31, 2024.

Developers who utilize password-based auth are asked to migrate their applications to another auth method as soon as possible.

What auth method should I migrate to?

The first and most important question developers should ask themselves is, "which auth method, JWT or OAuth's authorization code flow, is best for my application?" We have extensive documentation to help developers make the best decision for their application, but to summarize:

  • JWT auth is best for server-to-server use cases. This includes apps and scripts that have no user interface, and/or for which a single credential is often used to call APIs.

  • The authorization code flow is best for user-centric use cases. If your app needs to prompt individual users to log in or provide credentials, then the auth code flow is the best auth method for you.

We have also provided developers with a knowledge base article to guide them in this process.

How to migrate to JWT

If JWT is the best migration path for your application, then making the switch could not be easier. All of our SDKs currently support JWT, and the change to move to JWT is restricted to one or two lines of code. Check out our getting started guide for JWT to see working code samples.

By the way, if you find yourself asking the question, "how will I collect a JWT token for all of my users so they can each authenticate?" Then JWT auth is almost certainly the wrong auth type for your application, and we strongly recommend you migrate to OAuth's auth code flow instead.

Tips on JWT credential generation

Users assigned the "Standard" role do not have the "Developer Portal Access" option enabled for their role. As a result, users with this role cannot log in to the Developer Console in order to generate a JWT credential.

Therefore, if you need to create JWTs for a larger number of users, you may have to temporarily assign a different role to those users, e.g. "Standard - International," or a custom role with the "Developer Portal Access" permission enabled, to allow them to create their own Personal JWT.

How to migrate to OAuth's authorization code flow

To migrate to OAuth's auth code flow, we recommend you start with our auth code flow quick start guide, which will show you how to initiate the authorization process by the creation of an authorization URL, and how to complete the process server-side. If the access tokens generated through this process will be used on your servers, then we also recommend you take additional steps to keep access tokens valid by using refresh tokens.

Getting help and support

We recognize that changes like this have the potential to be very disruptive, and for that inconvenience, we apologize. We are committed to helping every developer make this transition successfully. If you need help, please consider posting your question on this post, or reach out directly to our developer support team.

Thank you, everyone, for your attention and for helping to make this change a successful one.


0 replies

Be the first to reply!

Reply