AnsweredAssumed Answered

OAUTH token refresh oddity

Question asked by Bryan Hunt on Mar 16, 2017
Latest reply on Mar 22, 2017 by Bryan Hunt

Hello,

 

I am trying out the API using the OAUTH security methods.

I was able to successfully generate my Access and Refresh tokens via this method:

POST

{
"grant_type":"password",
"client_id":"sugar",
"client_secret":"",
"username":"admin",
"password":"aaaaaaaaa",
"platform":"bbbbb"
}

 

Which returned: 

{
"access_token": "11111111-1111-1111-1111-111111111111",
"expires_in": 3600,
"token_type": "bearer",
"scope": null,
"refresh_token": "22222222-2222-2222-2222-222222222222",
"refresh_expires_in": 1209599,
"download_token": "33333333-3333-3333-3333-333333333333"
}

 

All good, except that I was surprised to see that the refresh token expired in only 14 days.  Most of the OAUTH sites that we deal with have a 2 year refresh token expiration.

 

After the initial Access Token expires, I try to generate a new one with:

POST

{
"grant_type":"refresh_token",
"client_id":"sugar",
"refresh_token":"22222222-2222-2222-2222-222222222222"
}

 

Which returns: 

{
"access_token": "44444444-4444-4444-4444-444444444444",
"expires_in": 3600,
"token_type": "bearer",
"scope": null,
"refresh_token": "55555555-5555-5555-5555-555555555555",
"refresh_expires_in": 1209599,
"download_token": "66666666-6666-6666-6666-666666666666"
}

 

I get the new Access Token as expected, but it also generates a new Refresh Token.  And, the old Refresh Token is no longer valid.

 

So, this raised two questions: 

- Why does a new Refresh Token get generated when trying to generate a new Access Token?  Is the syntax of my POST incorrect?

- Why only 14 days on the Refresh Token expiry?  I believe that I saw somewhere that the length of the expiry could be extended some how?

 

Thanks.

 

Bryan Hunt

Outcomes