question

Joseph Leedy avatar image
Joseph Leedy asked Joseph Leedy commented

Need Advice On Storing Client ID and Secret

Hello,

I'm new to RingCentral and a little confused about the best practices around managing the Client ID and Client Secret.

I'm building an integration for an e-commerce platform to allow transactional order messages to be sent to customers via SMS. In the past, with other API integrations, I've created an interface in the platform's Admin panel where the merchant (owner of the store/website) can configure their access credentials that are used for retrieving the API token.

If I understand RC correctly, however, I must first create an App and then somehow provide the merchant with its Client ID and Client Secret. Those values, in turn, would be used to collect the merchant's access credentials (in the Admin panel) via OAuth or a JWT.

Is it safe to store the Client ID and Client Secret in my integration, or is there a better way to provide them to the merchant?

My intention is to make this integration available publicly to merchants and have it be as simple as possible to set up.

sms and text messagingsending sms
2 comments
1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image Phong Vu ♦♦ commented ·

I am not clear about the integration and the service to give you best advice.

Do you expect one setup per RingCentral account, and all users under that account can use your integration as your integration will send SMS from a chosen phone number? Or, do you expect that each user (in a RingCentral account) will do the setup for himself/herself and your app will send SMS from his/her own phone number?

0 Likes 0 ·
Joseph Leedy avatar image Joseph Leedy Phong Vu ♦♦ commented ·

It would be the former. One RingCentral user, the merchant, would configure the integration to use their phone number to send messages to their customers.

0 Likes 0 ·

1 Answer

Phong Vu avatar image
Phong Vu answered Joseph Leedy commented

You can create a public app to allow users to login the app using 3-legged authorization or JWT. There are pros and cons with each auth methods. And each method requires different implementation on your side. For both methods, you should keep the app client id and client secret on your server side!

- 3-Legged authorization: you will provide a login page and after a user (the one who own the phone number for sending SMS messages) logs in, you will keep the tokens and handle auto refresh to keep the access token always valid (1 hour) until if the user logs out.

- JWT: you will provide a login page with some instruction and the app client id. A user (the one who own the phone number for sending SMS messages) will copy the app client id and follow the instructions to login their own RingCentral developer portal to generate a JWT for your app. Then on your login page, let them submit the JWT token to your server. Then you will store the JWT token on your database (together with any other user data) and use the JWT token to get the access token when you need to send SMS messages for that customer. You don't need to implement the auto refresh feature, but you should not use the JWT token to get an access token every time you send a text message (otherwise, you will hit the auth rate limit 5 calls/minute). Instead, keep the tokens object and check the access token expiration time, if the access token is still valid (for 1 hour), use it, if it expires, check if the refresh token is still valid (for 7 days). If the refresh token is still valid, use it to refresh and get a new access token (also new refresh token). If the refresh token also expires, use the JWT token to get a new token.

1 comment
1 |3000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Joseph Leedy avatar image Joseph Leedy commented ·

Thanks. Both scenarios align with my thought process.

My real question was about how to safely store the Client ID and Client Secret. I've reviewed a few other integrations written to connect this particular platform with third-party services via OAuth and I see that they are hard-coding those values in their codebase, so I will follow the same pattern.

0 Likes 0 ·

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys