question

janielle avatar image
janielle asked ·

Long lived tokens

When using the authorization flow is there a way to increase the refresh token TTL to be more than a week?

I have seen with other OAuth implementations that the refresh token TTL is refreshed or increased every time the access token is used.

The advantage of this is that a regular user of the api will not need to re-authorise weekly

Thanks,






topic-default
1 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

3 Answers

· Write an Answer
benjamin-dean avatar image
benjamin-dean answered ·
AFAIK, 7 days is the maximum amount of time which can be set for a refresh token (and becomes the default value if the specified value is greater than this maximum).
1 comment Share
1 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

janielle avatar image janielle ·
If that's the case, then we may need to swap to password flow.

Which would mean that every ring central client we integrate with, would need to create an App for us to use and then provide us with their App Key and App Secret, we'd also need to store each user's login detail, which isn't ideal.

Going back to the Authorization Flow, If someone is actively using the API with an Access Token, then each request using this token should reset the Refresh Token's TTL. 


0 Likes 0 · ·
John Wang avatar image
John Wang answered ·
The advantage of this is that a regular user of the api will not need to re-authorise weekly

Our SDKs automatically manage token refresh for you so if you are using the API regularly (at least once a week), you should not notice any need to manually re-authorize.

This page has a link to our SDKs:

https://developers.ringcentral.com/library/sdks.html

Some questions:

  1. How often is your app making API calls? Is it at least once a week?
  2. Are you using one of our SDKs and if so which one?
7 comments Share
1 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

janielle avatar image janielle ·
We expect multiple users to be making multiple calls per day and now we're aren't using the SDK, we're using the Rest API

So you're saying the Refresh Token, not the Access Token, can be refreshed?
Because every time I refresh the Access Token, the Refresh Token's TTL decreases.

I had a look at the Python SDK and I don't see it, unless I have missed it, a way to refresh the Refresh Token.
0 Likes 0 · ·
anton-nikitin avatar image anton-nikitin ·
Janielle,

every time you ask server to refresh token it actually refreshes both access and refresh tokens, i.e. in response you get new pair of tokens (including new refresh token which will last for another 7 days from the time of issuing). Previously issued refresh token will become invalid shortly after new one is issued. 


1 Like 1 · ·
John Wang avatar image John Wang ♦♦ ·
Hi Janielle,

Can you let us know why you're using the REST API directly and not one of our SDKs? I'm curious since we're always trying to improve our SDKs and your reasoning could let us know what we can work on.

Thanks
0 Likes 0 · ·
janielle avatar image janielle ·
Hi John,

It's because of documentation the REST API it really well documented, but the python SDK is very sparse. Implementing with the API has, for the most part, been pretty straight forward.
0 Likes 0 · ·
janielle avatar image janielle ·
Anton,

The animated gif below shows that each time I do a refresh, the  refresh_token_expires_in parameter decreases. If its not clear, it goes from 604006, to 603979, to 603966 and then 603956. You'll also notice the access token TTL decreasing too.

Perhaps it work differently on sandbox versus the production environment?

Thanks,



0 Likes 0 · ·
Show more comments
Anirban Sen Chowdhary avatar image
Anirban Sen Chowdhary answered ·

refresh_token have a life of 1 week and after that it expires. You can refresh a new set of accees_token and refresh_token to use. I have seen these as a more or less same duration as a common practice around different oauth servers. Why do you need a refresh_token more than that life ? You can always generates a new access token and refresh token before it expire.

A Refresh Token is a special kind of token that can be used to obtain a renewed access token

Share
1 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.