Need Authorization Help

  • 1
  • Question
  • Updated 10 months ago
I'm trying to help my developer and he needs an example of some sort.

We are currently using the authorization flow method for retrieving tokens. This is a concern as the refresh tokens time out within an hour. We are using a text app that triggers text globally, so it's a 24 hour operation that doesn't have someone available to login and authorize the app every hour.  With the call log app, we pull that data throughout the day and night, so we'll need the authorization current for that as well.

Has anyone been able to get the authorization access and refresh tokens to renew on an automatic basis? For example, the initial login and authorization of the app would be done once, then the refresh token would be renewed every 55-57 minutes and the access token would renewed every six days. Even if the user has to do an initial login and authorization, that's fine, as long as the subsequent authorization tokens are automated. 

I'm looking for any ideas or solutions, preferably with some sort of example to walk my developer through, even if it's just a basic one. Thanks!
Photo of SVRS DEV

SVRS DEV

  • 132 Points 100 badge 2x thumb
  • frustrated

Posted 10 months ago

  • 1
Photo of Stephanie

Stephanie

  • 290 Points 250 badge 2x thumb
I used the same system to oauth my application. The token is valid for one hour, that is true, but the refresh token is valid for a week. 
I don't do a request every hour, so what I did is before doing any request, I check if the token is still valid (with the expiration date). If yes, I keep the token and do my request. If not, I use the refresh token to renew my token and save the new token, the new refresh token, and the new expiration date.
I also have a cron running every day that renews the token if the refresh token arrives at expiration.
I don't know if this is the best solution but it is one that is working for me :-)

That's what I did to refresh my token in ruby:
url = "https://#{client_id}:#{client_secret}@#{api_server_url}/restapi/oauth/token"
headers = {accept: :json, content_type: 'application/x-www-form-urlencoded'}
parameters = "refresh_token=#{refresh_token}&grant_type=refresh_token"
response = JSON.parse(RestClient.post(url, parameters, headers))

=> in the response I have the new access token and the new refresh token that I saved for later. 

Hope it will help you.
Photo of SVRS DEV

SVRS DEV

  • 132 Points 100 badge 2x thumb
Awesome, thanks! That was helpful. 

I guess what my developer is having a hard time understanding is how to automate the credential request from the beginning. He's under the impression this can only be done manually through a redirect. So, with your example above, how did you do the initial authorization? How did you make it so it was not a manual process. We can do the initial credential entry and authorization of the app via redirect, but would need to automate after that.
Photo of Stephanie

Stephanie

  • 290 Points 250 badge 2x thumb
So the first authorization is through oauth2.
I have a button in our application redirecting to GET /connect
def connect
state_parameter = Base64.encode64({my_param: param}.to_json)
client = OAuth2::Client.new(client_id, client_secret, {:authorize_url => "https://#{api_server_url}/restapi/oauth/authorize"})
redirect_to client.auth_code.authorize_url(redirect_uri: redirect_uri, response_type: 'code', state: state_parameter )
end
The redirect_uri should be the same as the one you set up in your dev account. In order to test in dev, you can add one without https like http://localhost/your/path/oauth2callback.
At this point, the user has to enter his login/pwd of his ringcentral account, he has to authorize the access to the information you set and ringcentral redirect you as POST to your redirect uri.

You should create a route POST /oauth2callback
There you get a code that you exchange with a token.
post_params = {client_id: client_id, code: params[:code],
grant_type: 'authorization_code', redirect_uri: redirect_uri}
resp = JSON.parse(RestClient.post("https://#{api_server_url}/restapi/oauth/token", post_params))

In resp you have your token, keep it in your DB.
This way there is nothing manual, it is all automatic and the user is asked to accept the permission just once.

It is a classic oauth2 process, you ask for a code, then you exchange the code for a token. You keep the token and refresh it.
Hope it helps.