Long lived tokens

  • 1
  • Problem
  • Updated 2 years ago
  • Not a Problem
When using the authorization flow is there a way to increase the refresh token TTL to be more than a week?

I have seen with other OAuth implementations that the refresh token TTL is refreshed or increased every time the access token is used.

The advantage of this is that a regular user of the api will not need to re-authorise weekly

Thanks,
Photo of Janielle

Janielle

  • 530 Points 500 badge 2x thumb

Posted 2 years ago

  • 1
Photo of Benjamin Dean

Benjamin Dean, Alum

  • 8,622 Points 5k badge 2x thumb
AFAIK, 7 days is the maximum amount of time which can be set for a refresh token (and becomes the default value if the specified value is greater than this maximum).
Photo of Janielle

Janielle

  • 530 Points 500 badge 2x thumb
If that's the case, then we may need to swap to password flow.

Which would mean that every ring central client we integrate with, would need to create an App for us to use and then provide us with their App Key and App Secret, we'd also need to store each user's login detail, which isn't ideal.

Going back to the Authorization Flow, If someone is actively using the API with an Access Token, then each request using this token should reset the Refresh Token's TTL. 
Photo of John Wang

John Wang, Official Rep

  • 5,278 Points 5k badge 2x thumb
The advantage of this is that a regular user of the api will not need to re-authorise weekly

Our SDKs automatically manage token refresh for you so if you are using the API regularly (at least once a week), you should not notice any need to manually re-authorize.

This page has a link to our SDKs:

https://developers.ringcentral.com/library/sdks.html

Some questions:

  1. How often is your app making API calls? Is it at least once a week?
  2. Are you using one of our SDKs and if so which one?
(Edited)
Photo of John Wang

John Wang, Official Rep

  • 5,278 Points 5k badge 2x thumb
Hi Janielle,

Can you let us know why you're using the REST API directly and not one of our SDKs? I'm curious since we're always trying to improve our SDKs and your reasoning could let us know what we can work on.

Thanks
Photo of Janielle

Janielle

  • 530 Points 500 badge 2x thumb
Hi John,

It's because of documentation the REST API it really well documented, but the python SDK is very sparse. Implementing with the API has, for the most part, been pretty straight forward.
Photo of Janielle

Janielle

  • 530 Points 500 badge 2x thumb
Anton,

The animated gif below shows that each time I do a refresh, the refresh_token_expires_in parameter decreases. If its not clear, it goes from 604006, to 603979, to 603966 and then 603956. You'll also notice the access token TTL decreasing too.

Perhaps it work differently on sandbox versus the production environment?

Thanks,



(Edited)
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,612 Points 2k badge 2x thumb
The reason why you see such behavior is because you try to refresh with the same refresh token every time. So on first attempts we issue new pair with some TTLs and then on the following attempts just return the same pair so TTL in response is decreasing (token replays work for several minutes, after that it will start rejecting this outdated refresh token).

If you do it properly and will send new refresh token in request every time you will not see TTL degradation.
Photo of Janielle

Janielle

  • 530 Points 500 badge 2x thumb
Thanks Anton, I understand now, I didn't realise a new fresh token is issued on each refresh request. It's working as you described it, thanks again.