question

janielle2936 avatar image
janielle2936 asked Anirban answered

Long lived tokens

When using the authorization flow is there a way to increase the refresh token TTL to be more than a week?


I have seen with other OAuth implementations that the refresh token TTL is refreshed or increased every time the access token is used.


The advantage of this is that a regular user of the api will not need to re-authorise weekly


Thanks,







oauth
1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

3 Answers

benjamin-dean avatar image
benjamin-dean answered janielle2936 commented
AFAIK, 7 days is the maximum amount of time which can be set for a refresh token (and becomes the default value if the specified value is greater than this maximum).
1 comment
1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

janielle2936 avatar image janielle2936 commented ·
If that's the case, then we may need to swap to password flow.

Which would mean that every ring central client we integrate with, would need to create an App for us to use and then provide us with their App Key and App Secret, we'd also need to store each user's login detail, which isn't ideal.

Going back to the Authorization Flow, If someone is actively using the API with an Access Token, then each request using this token should reset the Refresh Token's TTL. 


0 Likes 0 ·
John Wang avatar image
John Wang answered janielle2936 commented
The advantage of this is that a regular user of the api will not need to re-authorise weekly

Our SDKs automatically manage token refresh for you so if you are using the API regularly (at least once a week), you should not notice any need to manually re-authorize.

This page has a link to our SDKs:

https://developers.ringcentral.com/library/sdks.html

Some questions:

  1. How often is your app making API calls? Is it at least once a week?
  2. Are you using one of our SDKs and if so which one?
7 comments
1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

anton-nikitin avatar image anton-nikitin commented ·
Janielle,

every time you ask server to refresh token it actually refreshes both access and refresh tokens, i.e. in response you get new pair of tokens (including new refresh token which will last for another 7 days from the time of issuing). Previously issued refresh token will become invalid shortly after new one is issued. 


1 Like 1 ·
janielle2936 avatar image janielle2936 commented ·
We expect multiple users to be making multiple calls per day and now we're aren't using the SDK, we're using the Rest API

So you're saying the Refresh Token, not the Access Token, can be refreshed?
Because every time I refresh the Access Token, the Refresh Token's TTL decreases.

I had a look at the Python SDK and I don't see it, unless I have missed it, a way to refresh the Refresh Token.
0 Likes 0 ·
John Wang avatar image John Wang ♦♦ commented ·
Hi Janielle,

Can you let us know why you're using the REST API directly and not one of our SDKs? I'm curious since we're always trying to improve our SDKs and your reasoning could let us know what we can work on.

Thanks
0 Likes 0 ·
janielle2936 avatar image janielle2936 commented ·
Hi John,

It's because of documentation the REST API it really well documented, but the python SDK is very sparse. Implementing with the API has, for the most part, been pretty straight forward.
0 Likes 0 ·
janielle2936 avatar image janielle2936 commented ·
Anton,

The animated gif below shows that each time I do a refresh, the  refresh_token_expires_in parameter decreases. If its not clear, it goes from 604006, to 603979, to 603966 and then 603956. You'll also notice the access token TTL decreasing too.

Perhaps it work differently on sandbox versus the production environment?

Thanks,



0 Likes 0 ·
Show more comments
Anirban avatar image
Anirban answered

refresh_token have a life of 1 week and after that it expires. You can refresh a new set of accees_token and refresh_token to use. I have seen these as a more or less same duration as a common practice around different oauth servers. Why do you need a refresh_token more than that life ? You can always generates a new access token and refresh token before it expire.

A Refresh Token is a special kind of token that can be used to obtain a renewed access token

1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys