Forum Discussion

Hari329's avatar
Hari329
Adept
10 years ago

Using the authorization grant flow via a back-end API call

Hi ,   We are planning to use " authorization grant flow  via a back-end API call ". Could you please let me know the process to get the access token and refresh token after we create API-only user...
Hari329's avatar
Hari329
Adept

Hi Paolo Tagliaferri,

Thanks a lot for the update.

Our understanding based on the article is that , refresh token never expires. So we were thinking option of logging in to our social community site with API-only user manually and retrieve both access and refresh tokens (without spending any extra efforts to code administrative module for user log in) and save these tokens in our system for sub sequent calls as refresh token has no expiry time.

Below is point I was referring to :
----------------------------------------- -----------------------------------------
5th point mentioned in http://community.lithium.com/t5/Community-API-v2/OAuth-2-0-authorization-grant-flow/ta-p/138402


The access token is valid for 24 hours. You can refresh the access tokenif needed. A refresh token can be issued at any time, but typically not until the access token expires. The refresh token does not expire.

And also

Below note from : http://community.lithium.com/t5/Community-API-v2/OAuth-2-0-authorization-grant-flow/ta-p/138402#refreshAccessToken

Refresh the access token
An access token is valid for 24 hours before it expires. Refresh the token within that time period, or the user will go through the authentication flow again. When you pass the refresh token, the Authorization Service, issues new access and refresh tokens. Store the new refresh token in case you need it for subsequent refreshes. The refresh token does not expire
----------------------------------------- -----------------------------------------

As per your comments , it seems refresh token also has expiry time (we need to call either API or log in manually to get the new refresh token after every 24 hours). Could you please clarify below queries so that we can decide based on your comments.


  1. Is refresh token expires after every 24 hours ?
  2. Do we need to implement admin module to log in manually for getting the access and refresh tokens ?
  3. If refresh token has expiry time and need to obtain manually every time then I think we can’t go ahead with this process as expectation for this integration in through back end mechanism. Instead we need to look for other mechanism something like API Session Keys approach


Thanks a lot for your support,
Hari

PaoloT's avatar
PaoloT
Lithium Alumni (Retired)
10 years ago

Hi Hari329

 

I think you are right - I may have mis-read the documentation myself! Whoops :-) It does state that the refresh token does not expire.

 

For the admin module: this was more some "food for thought" for my side - I don't think you are strictly required to implement it. It depends on how you are planning to manage the integration.

 

Apologies for the confusion!