Skip to main content

I currently have an app in the app gallery, and it links to a web page where users can log in and use my app for their account. I'm using the three-leg authorization flow for authorization. And for the most part, this works great.


However, I would like to make the experience better for my users. And I would also like to make sure I am implementing the three-leg auth flow correctly.


The most serious problem occurs when a user clicks on the link from the app gallery and is directed to my app page, and then, they have to leave their desk (before logging in) and the page just sits there for more than 20 minutes. We are validating to prevent cross-site forgery, and the session variable is gone if they try to log in after it has been sitting there for more than 20 minutes. When that happens, they have to go through the auth flow twice (after they return to their desk).


The second problem is that it just seems like too many clicks. The user clicks on the link in the app gallery, and is then shown a page where they have to click another button to log in. And then they go through the login flow process. Of course I can show some marketing messages on that page and such, but we already have that in the app gallery page. I don't want to bombard them with marketing.


The third problem occurs when they are using the app, and their session times out, and they have to log in again. When that happens, my app redirects them to the login page, from which, again, they have to click on "log in" again, and then they are taken to the RingCentral auth page. It would be nice to just neatly direct them straight to the RingCentral auth page.


I'm fairly new to the OAuth process, and I am not completely sure that I am implementing it correctly. is this type of flow normal? Am I just not thinking of it correctly? It seems like I might be missing something, since there is still the issue of the session cross-site forgery variable becoming stale.


Thanks for the help.

If you have full control of your own app, you can redirect user directly to RingCentral auth page. When users arrive at your page, you check whether they have logged in or not. If not, redirect them to RingCentral auth page. Thus users don't need to click any button on your page(avoid the too many clicks issue).

The third problem occurs when they are using the app, and their session times out, and they have to log in again.
There is way to keep the session alive. You need to refresh it: https://developer.ringcentral.com/api-docs/latest/index.html#!#RefRefreshTokenFlow


Thanks Tyler. I appreciate the response. I would love to redirect my users directly to the RingCentral auth page. But I don't seem to be able to. According to the docs, when I redirect users (to the RingCentral auth page) for my app, I have to submit "response_type", "client_id", "redirect_uri", and "state" using "application/x-www-form-urlencoded" (http://ringcentral-api-docs.readthedocs.io/en/latest/oauth/#authorization-code-flow). And that seems to be at the core of the issue I'm having. 

In order to pass those variables in that manner, I have to put them in a form and have the user click the submit button. And that's the extra click I'm talking about. According to what I have read in the docs and what I have tried, the only way to properly go to the RingCentral auth page is by using the form. And the form works fine. It's just that I would like my users to not have to click the form to be redirected to the RingCentral auth page.

Surely I am missing something. Do you have any code examples of how this might be done without using a form and a submit button? And just to be clear, this is what I am currently doing: I redirect my users to a login page on my domain, which has this form:
            <form action="@Model.RingCentralAuthUrl" method="GET" class="login-bottom">                 <p>                     <input type="hidden" name="response_type" value="code" />                     <input type="hidden" name="client_id" value="Model.AppKey" />                     <input type="hidden" name="redirect_uri" value="@Model.RedirectUri" />                     <input type="hidden" name="state" value="@ViewBag.State" />                     <input type="hidden" name="ReturnUrl" value="@ViewBag.ReturnUrl" />                     <button type="submit" class="btn btn-primary">Click Here</button>                 </p>             </form>&nbsp;
And then they click on that button and are taken to the RingCentral auth page. If you could provide some sort of example where I don't have to have the user click the form, I would greatly appreciate it.
Thanks

Matt
As far as I can tell, a form is not mandatory. You can build the url and redirect user to that url and it just work. Maybe the doc is wrong, or it doesn't list all the content-types that it supports.

Example:
https://github.com/ringcentral/ringcentral-demos-oauth/blob/master/javascript-express/app.js#L48
https://github.com/ringcentral/ringcentral-demos-oauth/blob/master/javascript-express/views/index.mu...
https://github.com/ringcentral/ringcentral-demos-oauth/blob/master/javascript-express/views/index.mu...

Even a form is required, you should be able to auto populate that form and auto submit it.
In case you prefer a C# sample: https://github.com/ringcentral/ringcentral-demos-oauth/tree/master/csharp-nancy/csharp-client-nancy
Thanks Tyler. This was exactly what I needed. I had tried redirecting to the url directly (similar to these examples) earlier on, but now I realize that I was not encoding all the params properly, and was receiving an error. That, combined with the docs, led me to believe that it was not supported. Thanks for the help!

Reply