AutoWeb How to use "Refresh Tokens"?

Hello,

I got Autoweb working with my own oauth api, but the access token keeps expiring every 30 minutes. I don't want to login every 30 minutes, so I would like to use "Refresh Tokens". But I noticed that Autoweb calls my api url "oauth/v2/auth" with the parameter "response_type=token" instead of "response_type=code".

How can I get refresh tokens working?

Thanks a lot for your help!

 

Well that would have been great if it wouldnt require me to set the secret id manually. Shouldnt the oauth/v2/auth proces take care of this, because the reponse of that proces returns the secret, right?

Verstuurd vanaf mijn GT-I9301I met Tapatalk

 

It does make sense what you are saying, but I do have an application called Postman that I use to test my OAuth connection and that one doesn't require me to set the secret manually. However Postman is be able to create a refresh token.

It looks like Postman runs "oauth/v2/auth" the authentication proces with response_type=code and then gets a auth_code back. Then it runs "oauth/v2/token" to exchange that auth_code for an access_token and a refresh_token.

Any idea why Postman works without having to set the secret manually?

 

Sure I can. However I don't have the time right now. So ill post some info the next day.

Verstuurd vanaf mijn GT-I9301I met Tapatalk

 

Hello Joaomgcd,

Alright, I tried to debug to get some information for you. I will try to make it understandable.

1. I go to Postman and select the option OAuth2 under Authorization and continue by clicking "Get a new access token".

2. Postman opens a popup and takes me to the login area under "oauth/v2/auth_login" (the same as Autoweb). I log in (if I'm not logged in yet) and get 2 buttons "allow" and "deny".

3. If I click "allow" Postman posts the following data to "oauth/v2/auth":

array (
'client_id' => '13_test',
'response_type' => 'code', // Autoweb has "token" set here
'redirect_uri' => 'https://www.getpostman.com/oauth2/callback',
'state' => '4446607',
'scope' => '',
)

The following callback url is being generated from the posted data: https://www.getpostman.com/oauth2/callback?state=4446473&code=xxx

4. Postman then calls "oauth/v2/token" to exchange the ?code=xxx from the callback url for an access_token. The response I get here is:

array (
'access_token' => 'xxx',
'expires_in' => 60,
'token_type' => 'bearer',
'scope' => NULL,
'refresh_token' => 'xxx',
)

As you can see it also returns a refresh_token. I can use this refresh_token to gain another access_token, which also gives me a new refresh_token. This goes on and on.
I can call "/oauth/v2/token?grant_type=refresh_token&refresh_token=xxx&client_id=xxx" with the refresh_token without having to use a secret. I do only have to set the client id.

If you look at https://developer.spotify.com/web-api/authorization-guide/ you will also notice that at point 5 they are also returning an "access_token" and "refresh_token".

I must make a side note. I only get a refresh_token back if I set my application/client "allowedGrantTypes" to the following:

array (
0 => 'token', // This is the one Autoweb currently uses.
1 => 'refresh_token',
2 => 'authorization_code', // This is the one I would like to use.
),

My Symfony web-application is using "https://github.com/FriendsOfSymfony/FOSOAuthServerBundle" to run OAuth.

Regards,
Roy

 

Thanks for your feedback Joao.

You are probably right about having to supply the secret. But I am still wondering how Spotify does this then. If I take a look in Autoweb by importing the Spotify api I see that it's using "OAuth2" and not "OAuth2WithRefresh". Still I don't have to refresh my token every time. Can you explain why this works differently? I've read somewhere that Facebook uses access_token that last for 60 days, but that would not be my intention.

I would rather not want to reveal the secret, because this token never changes. Both the access_token and refresh_token do, so they are more secure.

Thanks for your time so far!