I currently have an app in the app gallery, and it links to a web page where users can log in and use my app for their account. I'm using the three-leg authorization flow for authorization. And for the most part, this works great.
However, I would like to make the experience better for my users. And I would also like to make sure I am implementing the three-leg auth flow correctly.
The most serious problem occurs when a user clicks on the link from the app gallery and is directed to my app page, and then, they have to leave their desk (before logging in) and the page just sits there for more than 20 minutes. We are validating to prevent cross-site forgery, and the session variable is gone if they try to log in after it has been sitting there for more than 20 minutes. When that happens, they have to go through the auth flow twice (after they return to their desk).
The second problem is that it just seems like too many clicks. The user clicks on the link in the app gallery, and is then shown a page where they have to click another button to log in. And then they go through the login flow process. Of course I can show some marketing messages on that page and such, but we already have that in the app gallery page. I don't want to bombard them with marketing.
The third problem occurs when they are using the app, and their session times out, and they have to log in again. When that happens, my app redirects them to the login page, from which, again, they have to click on "log in" again, and then they are taken to the RingCentral auth page. It would be nice to just neatly direct them straight to the RingCentral auth page.
I'm fairly new to the OAuth process, and I am not completely sure that I am implementing it correctly. is this type of flow normal? Am I just not thinking of it correctly? It seems like I might be missing something, since there is still the issue of the session cross-site forgery variable becoming stale.
Thanks for the help.