Reply
Contributor
Posts: 11
Registered: ‎09-07-2018
Accepted Solution

Proactively Refreshing the OAuth Access Token

I'd like to refresh the access token after 90% of it's life is used up (just prior to expiration).  But everytime I do, I get the exact same (access and refresh) tokens back, and the expiration of the access token hasn't moved a bit. 

 

Do I have to wait until after the token has expired before I can refresh it?

 

Thanks,
Troy


Accepted Solutions
Solution
Accepted by topic author TroyW
‎09-09-2018 02:47 PM
Posts: 333
Kudos: 57
Solutions: 35
Registered: ‎03-13-2017

Re: Proactively Refreshing the OAuth Access Token

Hi @TroyW

 

Yes that is correct . You will need for token expired error and call the /token api with refresh token to get a new set of access and refresh tokens . 

 

 

Thanks

Anurag





Send feedback at developer_feedback@authorize.net

View solution in original post


All Replies
Solution
Accepted by topic author TroyW
‎09-09-2018 02:47 PM
Posts: 333
Kudos: 57
Solutions: 35
Registered: ‎03-13-2017

Re: Proactively Refreshing the OAuth Access Token

Hi @TroyW

 

Yes that is correct . You will need for token expired error and call the /token api with refresh token to get a new set of access and refresh tokens . 

 

 

Thanks

Anurag





Send feedback at developer_feedback@authorize.net
Contributor
Posts: 11
Registered: ‎09-07-2018

Re: Proactively Refreshing the OAuth Access Token

I waited 8 hours for the access token to expire, and then I was able to refresh the access token.  So I can confirm what you said.  So about how long is the refresh token good for?  The documenation says one year, but it also says the access token has  life of 10 minutes (not 8 hours), so I'm not sure if I should trust the documentation.

 

--Troy

Posts: 333
Kudos: 57
Solutions: 35
Registered: ‎03-13-2017

Re: Proactively Refreshing the OAuth Access Token

Hi @TroyW

 

Looks like there is a bug when creating the OAuth client from our Partner Interface which is setting the expiration time of 8 hours for both access and refresh Token . 

 

We are working on a fix and will keep you posted . 

 

The 10 minutes is for the one time Auth code which is generated when the authorization flow is done 

 

https://developer.authorize.net/api/reference/features/oauth.html#Redirecting_the_Merchant

 

Also have a look at our sample app for OAuth at https://github.com/AuthorizeNet/oauth-sample-app

 

Thanks

Anurag





Send feedback at developer_feedback@authorize.net
Contributor
Posts: 11
Registered: ‎09-07-2018

Re: Proactively Refreshing the OAuth Access Token

Thanks for your followup on this.  Hopefully my observations will help you track this down:

 

1)  The access_token expired after 8 hours.

2)  A few days later, I was able to use the refresh_token to obtain new tokens (access and refresh).

3)  The token .json advertised the fact that both the access_token and refresh_token had a lifespan of 8 hours.  But my experience (point #2) showed that the refresh_token outlived those 8 hours.

 

4)  From the merchant settings, I revoked my application.  The refresh_token continued to work for its full 8 hours.  This seems like a long time to continue to have access to the merchant account.  So I'm glad you're looking into why it's not 10 minutes like the documentation indicates.

 

--Troy

 

Contributor
Posts: 12
Registered: ‎10-09-2018

Re: Proactively Refreshing the OAuth Access Token

@TroyW I'm having the same issue. So what it sounds like is you need to update the refresh token after the access token expires but before the refresh token expires? This is frustrating because the response says they have the same expiration time. Are we supposed to guess at when the refresh token expires..? Run a chron that updates the refresh token every 9 hours or something?

Contributor
Posts: 11
Registered: ‎09-07-2018

Re: Proactively Refreshing the OAuth Access Token

I found that you can just ignore the advertised expiration times.  The access token lasts about 8 hours, and the refresh token is "long lived" enough so there's no problem getting a new access/refresh token combo.

 

--Troy

Posts: 333
Kudos: 57
Solutions: 35
Registered: ‎03-13-2017

Re: Proactively Refreshing the OAuth Access Token

Hi All , 

 

Due to a defect currently the refresh token are shorten to 8 hours but the refresh token will be valid for 1 year after the fix soon . 

 

Tentatively target by end of month .

 

Thanks

Anurag





Send feedback at developer_feedback@authorize.net
Highlighted
Posts: 333
Kudos: 57
Solutions: 35
Registered: ‎03-13-2017

Re: Proactively Refreshing the OAuth Access Token

Hi All , 

 

The expiration time issue should be fixed now . 

 

Can you create a new OAuth client and check ?

 

Thanks

Anurag





Send feedback at developer_feedback@authorize.net