thomas.baucke | 2018-08-21 00:52:03 UTC | #1
Hi there,
I've been researching integrating our app (Spinify) with purecloud's platform API, but I'm getting a bit stuck on authorization:
Is there anyway to programmatically refresh an access token via the API before it expires so our users won't have to log in to purecloud every 24 hours?
Here's our ideal use case: We have one Spinify oAuth client in purecloud that many different purecloud organisations can grant access to and our backend makes authenticated requests with an access token for our one purecloud oAuth client to get data into Spinify. Users set up the integration once, and then they don't have to log in to purecloud every 24 hours. We'd also really like to avoid having our users manually set up an oauth client in purecloud and then copy/paste over the client id and secret.
The two work arounds I'm considering are:
- Have our users set up the integration initially in Spinify to get an access token via access code grant. Then on our backend, use that access token to create a new oAuth client in the user's pure cloud account. And then have the backend request a new access token with the client credentials grant flow by using the client id + client secret for the new oAuth client every 24 hours or so.
Or
- Store our users purecloud credentials on our side and get a new access token with those credentials using an implicit grant flow every 24 hours, but I'm really apprehensive of this approach because security and it feels really hacky and basically bypasses all the goodness of OAuth.
There's probably a better way to do this so I'm definitely open to suggestions.
Many thanks and kind regards,
Thomas
john | 2018-08-21 14:01:24 UTC | #2
The idea behind the code authorization (or implicit grants) is that your application is making requests to PureCloud on behalf of a user interacting with your application. You should cache the access token on the user's session with your application server, and use it to make PureCloud requests as required while your user interacts with your application. A user does not necessarily have to log in each time to issue an access token. They may already be authenticated with the PureCloud authorization server, or with an identity provider that can assert identity to the PureCloud authorization server. In those cases, a new access token (or authorization code) would automatically be issued to your application, transparently to the end user. It is appropriate that the identity provider, not an application, determines when the user needs to provide credentials for authentication. You definitely should not store user credentials. In addition to the security concerns your mentioned, any PureCloud service that accepts user credentials is not part of the platform API, does not fall under its compatibility guarantees, and is subject to change at our discretion.
jasonj | 2018-08-21 15:34:41 UTC | #3
Hi John,
I've also been speaking with Zach about this as well.
So after getting an access token and storing on the application server, this can be used for up to 24 hours (depending on TTL).
What I'm missing/not understanding is how do we request an updated access token before it gets expired. Do you have any help articles outlining the process and endpoints to be used?
You mention here that we would need an identity provider and access tokens can be automatically issued, can you elaborate?
Thanks Jason
john | 2018-08-21 17:51:50 UTC | #4
Your app needs to redirect the user to the PureCloud authorization server whenever it needs an access token, whether it is because you don't have one, you got a 401 response from the API, or you know the one you have is expired (via the expires parameter). My point with the identity providers was that your app does not actually need to concern itself with how the user is authenticated (or the rules about when they need to re-authenticate), the PureCloud authorization server takes care of that for you.
jasonj | 2018-08-21 19:35:14 UTC | #5
Hi John,
From my discussion with Zach, he was under the impression that we'd be able to set this up so that we can query the API to get a refreshed token, without the user authenticating/interacting with the system.
We are looking for a solution where the end user, authenticates once/initially, then we can continuously pull in data without the user having to interact with the system every XX hours. Is that possible?
Thanks Jason
john | 2018-08-21 19:49:18 UTC | #6
It sounds like your use case involves the client making API requests on its own behalf - not driven by a user? That would be a use case for the client credential grant. We do have plans to streamline the authorization of client-credential based apps across multiple orgs, but for the the moment the only way to do that is to provision a client/credentials in each org you need to access.
Alok_Tibrewal | 2018-08-24 09:09:04 UTC | #7
We are also facing the same issue and has been waiting for this for months now.
Can you please elaborate when exactly you plan to implement this.
In our case also our APP at third party need to perform Refresh Token automatically without user interference and it is not happening.
Regards
system | 2018-09-24 09:09:06 UTC | #8
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 3404