Hi , We are planning to use " authorization grant flow via a back-end API call ". Could you please let me know the process to get the access token and refresh token after we create API-only user with appropriate permissions ? This is to pull data from lithium community sites and display on some of our other sites. An earliest response will help a lot ! Thanks,Hari

Hi Hari329 the "Authorization Grant" flow is interactive and therefore not suitable for a server to server integration. You could of corse log in manually with the "API user" via the browser and obtain an access and refresh token, and then use these directly, but I don't think this would be suitable for a back-end integration. What I suggest for the time being is to see whether you can use rest V1 in that scenario, for the time being. Thanks,

To clarify my above response, you could also approach this by coding an administrative interface which allows an authorized admin user to link your application via the interactive flow (using the api only account) and then persists the tokens that will be used for the subsequent calls. This would also allow to refresh the tokens if they become invalid and for some reason it's not possible to get a new one via a refresh token etc...

Hi Hari329 I think this is described in the documentation I have linked. Essentially, you have 24 hours to use your refresh token to obtain a new refresh/access token pair. If more time passes, you may need to re-do the initial authentication log-in flow. Re the administrative interface part: I am referring to the "manual" login part - this could be done via an appropriate UI (an administrative interface to obtain valid tokens) rather than completely manually. Cheers,

Hi Hari329 further to the above. The documentation mentions the following Using the authorization grant flow via a back-end API call The authorization grant flow assumes that a web browser is involved during authentication. If you want to use a back-end API call for OAuth, create an API-only user with appropriate permissions to make the API calls. This API-only user must login once through the community using the authorization flow to receive access and refresh tokens. From there on subsequent authenticated, backend API calls can be made using the tokens. What that means is, even if the user will be used for back end calls, they will still need to go trough the standard OAuth interactive exchange for the first login, to make sure that you can get a valid access token and refresh token for that user. The below diagram (from the KB page) depicts the interactive exchange (which is the same used for normal, non API users) At the end of the process (which can be initiated with any suitable HTTP client, manually) you will have obained an access token and a refresh token and you can then store them in your application for subsequent calls. SuzieH - it looks like our KB page may need some more detail to avoid confusion around this manual step required for backend users. Is that something you can help with? Thanks,

PaoloT and Hari329 I added more detail to the section in the OAuth 2.0 documentation describing how to use the API user for back-end calls with OAuth 2.0.

Using the authorization grant flow via a back-end API call

14 Replies

PaoloT
Lithium Alumni (Retired)
10 years ago
Hi Hari329

the "Authorization Grant" flow is interactive and therefore not suitable for a server to server integration. You could of corse log in manually with the "API user" via the browser and obtain an access and refresh token, and then use these directly, but I don't think this would be suitable for a back-end integration.

What I suggest for the time being is to see whether you can use rest V1 in that scenario, for the time being.

Thanks,
PaoloT
Lithium Alumni (Retired)
10 years ago
To clarify my above response, you could also approach this by coding an administrative interface which allows an authorized admin user to link your application via the interactive flow (using the api only account) and then persists the tokens that will be used for the subsequent calls. This would also allow to refresh the tokens if they become invalid and for some reason it's not possible to get a new one via a refresh token etc...
Hari329
Adept
10 years ago
Hi Paolo Tagliaferri,

Thanks for the information. Below are the steps we planned :

1.Create API user
2.Log in manually with the "API user" to our lithium communities site and obtain an access and refresh token. Could you please help me to understand the steps involved in obtaining access and refresh key after log in ?
3.Once we get the access and refresh key with manual log in process , we are planning to store it in our system to use whenever we are calling lithium communities using REST API to get the data

Do you see any issues with above process ?

And also could you please elaborate on administrative interface process you mentioned below ?

Thanks a lot for your support,
Hari
PaoloT
Lithium Alumni (Retired)
10 years ago
Hi Hari329

I think this is described in the documentation I have linked. Essentially, you have 24 hours to use your refresh token to obtain a new refresh/access token pair. If more time passes, you may need to re-do the initial authentication log-in flow.

Re the administrative interface part: I am referring to the "manual" login part - this could be done via an appropriate UI (an administrative interface to obtain valid tokens) rather than completely manually.

Cheers,
Hari329
Adept
10 years ago
Hi Paolo Tagliaferri,

Thanks a lot for the update.

Our understanding based on the article is that , refresh token never expires. So we were thinking option of logging in to our social community site with API-only user manually and retrieve both access and refresh tokens (without spending any extra efforts to code administrative module for user log in) and save these tokens in our system for sub sequent calls as refresh token has no expiry time.

Below is point I was referring to :
----------------------------------------- -----------------------------------------
5th point mentioned in http://community.lithium.com/t5/Community-API-v2/OAuth-2-0-authorization-grant-flow/ta-p/138402

The access token is valid for 24 hours. You can refresh the access tokenif needed. A refresh token can be issued at any time, but typically not until the access token expires. The refresh token does not expire.

And also

Below note from : http://community.lithium.com/t5/Community-API-v2/OAuth-2-0-authorization-grant-flow/ta-p/138402#refreshAccessToken

Refresh the access token
An access token is valid for 24 hours before it expires. Refresh the token within that time period, or the user will go through the authentication flow again. When you pass the refresh token, the Authorization Service, issues new access and refresh tokens. Store the new refresh token in case you need it for subsequent refreshes. The refresh token does not expire
----------------------------------------- -----------------------------------------

As per your comments , it seems refresh token also has expiry time (we need to call either API or log in manually to get the new refresh token after every 24 hours). Could you please clarify below queries so that we can decide based on your comments.

Is refresh token expires after every 24 hours ?
Do we need to implement admin module to log in manually for getting the access and refresh tokens ?
If refresh token has expiry time and need to obtain manually every time then I think we can’t go ahead with this process as expectation for this integration in through back end mechanism. Instead we need to look for other mechanism something like API Session Keys approach

Thanks a lot for your support,
Hari
PaoloT
Lithium Alumni (Retired)
10 years ago
Hi Hari329

I think you are right - I may have mis-read the documentation myself! Whoops :-) It does state that the refresh token does not expire.

For the admin module: this was more some "food for thought" for my side - I don't think you are strictly required to implement it. It depends on how you are planning to manage the integration.

Apologies for the confusion!
Hari329
Adept
10 years ago
Hi Paolo Tagliaferri,

Thanks for coming back to me.
So , refresh token wont expire as per documentation provided by Lithium. In this case , I should be able to log in to lithium community site manually with API-only user and obtain the access & refresh token.

This can be used for any request from back end API code with no time bound.

One last help - Could you please guide me steps to obtain access and refresh token ? I am talking to our lithium admin user to create API-only user for this purpose. It would be greately helpful if you could send me steps for the same or include/connect with any one of lithium support team for help.

Thanks alot for your support ,
Hari
Hari329
Adept
10 years ago
Hi Paolo Tagliaferri, Could you please help me in obtaining the keys using manual log in process ? Thanks, Hari
PaoloT
Lithium Alumni (Retired)
10 years ago
Hi Hari329 -

you will need to get initially set up via Lithium Support (which I believe you aleady did) - and then follow the steps described in the guide. It is a classic OAuth handshake to obtain an access token and a rfresh token and you will need to issue the calls according to that flow as described in our knowledge base article and also on other resources available online. I hope this helps, if not please get in touch with our Support department and they may be able to guide you further.

Thanks,
PaoloT
Lithium Alumni (Retired)
10 years ago
Hi Hari329

further to the above. The documentation mentions the following

Using the authorization grant flow via a back-end API call The authorization grant flow assumes that a web browser is involved during authentication. If you want to use a back-end API call for OAuth, create an API-only user with appropriate permissions to make the API calls. This API-only user must login once through the community using the authorization flow to receive access and refresh tokens. From there on subsequent authenticated, backend API calls can be made using the tokens.

What that means is, even if the user will be used for back end calls, they will still need to go trough the standard OAuth interactive exchange for the first login, to make sure that you can get a valid access token and refresh token for that user. The below diagram (from the KB page) depicts the interactive exchange (which is the same used for normal, non API users)

At the end of the process (which can be initiated with any suitable HTTP client, manually) you will have obained an access token and a refresh token and you can then store them in your application for subsequent calls.

SuzieH - it looks like our KB page may need some more detail to avoid confusion around this manual step required for backend users. Is that something you can help with?

Thanks,

Forum Discussion

Using the authorization grant flow via a back-end API call

14 Replies

Related Content

Aurora: Add co-authors to blog posts

Aurora: Remove co-authors from blog posts

503 - Service unavailable back-end server is at capacity

How to Use Atlas

Help Us Help You!

Recent Discussions

How to fetch all labels associated with TkbArticlePage and count how many times each label is used

In Aurora, add additional <script> and <meta> tags

Setup content filter for arabic language

24.10 API change breaks navigation

How to create/subscribe the Webhook in Aurora