This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

What are the options if OAuth 2.0 token has expired and need to use longer?

Posted on 10-06-2016 08:24 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We have an application that requires a user to authenticate and then the calls require a valid OAuth 2.0 token. OAuth 2.0 token the authorized user is using the app longer than the OAuth is set to expire. What options are there for the user to continue using the application with the same OAuth token or does the application have to get a new OAuth 2.0 token for the user to continue?
Is there any way to refresh an expired OAuth 2.0 token?

Solved Solved
1 1 186
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

When the token expires, the token is no longer useful. The app cannot continue to use it. but, the app can get a new token, and use THAT one.

OAuth2.0 provides a way for apps to get a new token, using the refresh_token. To make this work, the proxy should:

  • return 401 Unauthorized, when the token is expired, with a message indicating something like "expired oauth token". You can do this with a FaultRule containing an AssignMessage policy. In the FaultRule, use a Condition fault.name = "access_token_expired".

The app must:

  • handle the 401 return code (check the message for "Expired oauth token" )
  • POST to the /token endpoint with the refresh token
  • retrieve the new token
  • re-try the failed request

Your OAuth endpoint must support the refresh flow!

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

When the token expires, the token is no longer useful. The app cannot continue to use it. but, the app can get a new token, and use THAT one.

OAuth2.0 provides a way for apps to get a new token, using the refresh_token. To make this work, the proxy should:

  • return 401 Unauthorized, when the token is expired, with a message indicating something like "expired oauth token". You can do this with a FaultRule containing an AssignMessage policy. In the FaultRule, use a Condition fault.name = "access_token_expired".

The app must:

  • handle the 401 return code (check the message for "Expired oauth token" )
  • POST to the /token endpoint with the refresh token
  • retrieve the new token
  • re-try the failed request

Your OAuth endpoint must support the refresh flow!

Jump to Solution
0 Likes