Most of the developers come across the issue of how to handle access token and refresh token renewal process. Here is an efficient way of handling these issues.
Access token lifetime is 3600s = 1 hour
Refresh token lifetime is 7 days(1 week)
There are 2 ways to handle the renewal process:
1. Renew access token and refresh token for every 1 hour. The expires_at time provides allows you to know when you need to refresh a token and regularly checking it will allow you to refresh it as and when required. Also, you should detect when any RingCentral API you are calling returns an HTTP Status Code 401 (Unauthorized).
You can refresh a token that is not expired. The previous access token will be immediately purged and a new access token will be returned. There will only ever be one active access token at a time for each instance. The only downside is the time it takes to issue those refresh commands, so we don't recommend refreshing tokens constantly as it will slow down your app.
2. If you can’t change the app as mentioned above (for instance, if the app is stateless and you cannot store access/refresh tokens), you should pass “refresh_token_ttl=0” parameter along with /oauth/token API so that refresh tokens are expired immediately after creation.
Access token lifetime is 3600s = 1 hour
Refresh token lifetime is 7 days(1 week)
There are 2 ways to handle the renewal process:
1. Renew access token and refresh token for every 1 hour. The expires_at time provides allows you to know when you need to refresh a token and regularly checking it will allow you to refresh it as and when required. Also, you should detect when any RingCentral API you are calling returns an HTTP Status Code 401 (Unauthorized).
You can refresh a token that is not expired. The previous access token will be immediately purged and a new access token will be returned. There will only ever be one active access token at a time for each instance. The only downside is the time it takes to issue those refresh commands, so we don't recommend refreshing tokens constantly as it will slow down your app.
2. If you can’t change the app as mentioned above (for instance, if the app is stateless and you cannot store access/refresh tokens), you should pass “refresh_token_ttl=0” parameter along with /oauth/token API so that refresh tokens are expired immediately after creation.
We provide the developers with SDKs for Javascript, PHP and python which will automatically handle reusing of tokens across instances. You can find the SDKs and documentations here: https://github.com/ringcentral .
VB, Official Rep
-
1,510 Points
Posted 4 years ago
-
100 Points
-
146 Points
I'm testing this on my own system, and it appears even after a refresh, I can still use the old Access token until it hits its original expiration date. Is that how it's supposed to work?
I just want to make sure that if someone makes a call right when a refresh is occurring such that they grab the existing Access Token, then the refresh occurs, then they actually make the API call, it won't error out.
I just want to make sure that if someone makes a call right when a refresh is occurring such that they grab the existing Access Token, then the refresh occurs, then they actually make the API call, it won't error out.
(Edited)
Phong Vu, Devangelist
-
4,796 Points
I think getting a new access token by using a refresh token will not automatically revoke the old access token it it's not expired. You should always check if the access token expires, then use the refresh token to get a new access token.
If the access token is still valid while you request for a new access token, you can call the revoke token endpoint to revoke the old access token.
Using RingCentral SDKs would be the most convenient way to handle authentication. Check out these tutorials to see if you can use in your app.
JS SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-nodejs-demo//?distinctId=139891...
Python SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-python-demo/?distinctId=1398916...
PHP SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-php-demo//?distinctId=139891602...
+ Phong
If the access token is still valid while you request for a new access token, you can call the revoke token endpoint to revoke the old access token.
Using RingCentral SDKs would be the most convenient way to handle authentication. Check out these tutorials to see if you can use in your app.
JS SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-nodejs-demo//?distinctId=139891...
Python SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-python-demo/?distinctId=1398916...
PHP SDK: https://ringcentral-tutorials.github.io/password-flow-authentication-php-demo//?distinctId=139891602...
+ Phong
-
146 Points
Thanks, Phong.
I'm going to discuss our particular situation (developing in C#, running multiple WebAPI instances with a multi-user environment) directly with my RingCentral technical contact, and if anything interesting comes up, I'll post it here in case anyone else has the same situation.
I'm going to discuss our particular situation (developing in C#, running multiple WebAPI instances with a multi-user environment) directly with my RingCentral technical contact, and if anything interesting comes up, I'll post it here in case anyone else has the same situation.
Lee
The fact I have to have my end users authenticate with RingCentral instead of allowing me as a super admin via server side only on some features is also annoying the hell out of my end users.
I'm integrated with other platforms like RightSignature and it's so much easier. Thank god not every service requires this. If I had known of these issues (even after using the dev platform some problems I didn't find until we went live) I would not have moved off our old internal phone system this year.
While the API team is very responsive to questions and even personally contacted me to help resolve a major issue I was having they do seem to be short staffed if they can't push out updates in a timely manner. It's been over a year for an issue that was first reported (at least publicly on this forum) of not being able to set the caller id on RingOut (except a crazy work around of setting the extension caller id and then having to update it back again after the call connects).
Rick Smith