topic Re: Proactively Refreshing the OAuth Access Token in Integration and Testing

Proactively Refreshing the OAuth Access Token

TroyW — Fri, 07 Sep 2018 16:27:58 GMT

I'd like to refresh the access token after 90% of it's life is used up (just prior to expiration). But everytime I do, I get the exact same (access and refresh) tokens back, and the expiration of the access token hasn't moved a bit.

Do I have to wait until after the token has expired before I can refresh it?

Thanks,
Troy

Re: Proactively Refreshing the OAuth Access Token

Anurag — Sat, 08 Sep 2018 06:39:47 GMT

Hi @TroyW

Yes that is correct . You will need for token expired error and call the /token api with refresh token to get a new set of access and refresh tokens .

Thanks

Anurag

Re: Proactively Refreshing the OAuth Access Token

TroyW — Sun, 09 Sep 2018 21:49:20 GMT

I waited 8 hours for the access token to expire, and then I was able to refresh the access token. So I can confirm what you said. So about how long is the refresh token good for? The documenation says one year, but it also says the access token has life of 10 minutes (not 8 hours), so I'm not sure if I should trust the documentation.

--Troy

Re: Proactively Refreshing the OAuth Access Token

Anurag — Mon, 10 Sep 2018 04:57:43 GMT

Hi @TroyW

Looks like there is a bug when creating the OAuth client from our Partner Interface which is setting the expiration time of 8 hours for both access and refresh Token .

We are working on a fix and will keep you posted .

The 10 minutes is for the one time Auth code which is generated when the authorization flow is done

https://developer.authorize.net/api/reference/features/oauth.html#Redirecting_the_Merchant

Also have a look at our sample app for OAuth at https://github.com/AuthorizeNet/oauth-sample-app

Thanks

Anurag

Re: Proactively Refreshing the OAuth Access Token

TroyW — Mon, 10 Sep 2018 15:47:56 GMT

Thanks for your followup on this. Hopefully my observations will help you track this down:

1) The access_token expired after 8 hours.

2) A few days later, I was able to use the refresh_token to obtain new tokens (access and refresh).

3) The token .json advertised the fact that both the access_token and refresh_token had a lifespan of 8 hours. But my experience (point #2) showed that the refresh_token outlived those 8 hours.

4) From the merchant settings, I revoked my application. The refresh_token continued to work for its full 8 hours. This seems like a long time to continue to have access to the merchant account. So I'm glad you're looking into why it's not 10 minutes like the documentation indicates.

--Troy

Re: Proactively Refreshing the OAuth Access Token

jdoyle112 — Tue, 16 Oct 2018 19:00:38 GMT

@TroyW I'm having the same issue. So what it sounds like is you need to update the refresh token after the access token expires but before the refresh token expires? This is frustrating because the response says they have the same expiration time. Are we supposed to guess at when the refresh token expires..? Run a chron that updates the refresh token every 9 hours or something?

Re: Proactively Refreshing the OAuth Access Token

TroyW — Tue, 16 Oct 2018 20:16:58 GMT

I found that you can just ignore the advertised expiration times. The access token lasts about 8 hours, and the refresh token is "long lived" enough so there's no problem getting a new access/refresh token combo.

--Troy

Re: Proactively Refreshing the OAuth Access Token

Anurag — Tue, 16 Oct 2018 21:58:56 GMT

Hi All ,

Due to a defect currently the refresh token are shorten to 8 hours but the refresh token will be valid for 1 year after the fix soon .

Tentatively target by end of month .

Thanks

Anurag

Re: Proactively Refreshing the OAuth Access Token

Anurag — Wed, 24 Oct 2018 06:53:40 GMT

Hi All ,

The expiration time issue should be fixed now .

Can you create a new OAuth client and check ?

Thanks

Anurag