Expiring OAuth token

(Ben Chapman) #1

Matrix Version:

I am working with an API that requires an OAuth token. I am able to get the token using an OAuth 2.0 token - two legged asset and then use it to authenticate a REST resource.

However, I am getting “N/A” for the refresh token. Then once the token expires (after an hour), I get an “invalid_token” error.

I think I am missing something here. How do I set things up so the token is refreshed when needed?

(Bart Banda) #2

What API are you connecting to? Some OAuth providers need to you to specify that the token you want is a refreshable one. For example, when getting an offline token for the Google Analytics API you need to pass the “?access_type=offline” query parameter. See https://matrix.squiz.net/tutorials/2017/how-to-integrate-with-ga-using-rest-and-oauth2#setting-up-the-authentication_configuring-the-oauth2-token

(Ben Chapman) #3

Thanks Bart. The system I am connecting to is in the Sringshare LibApps suite of library tools.

Looking into the particular oAuth specifications used by this system, it uses client credentials for the grant type and apparently a refresh token should not even be issued for client credentials grants.

Am I understanding how the Matrix oAuth token asset works? That is, if I have a token that has no refresh token and link it to a REST resource asset, then it will no longer authenticate after the token expires. So my understanding is that this approach is only doable for tokens that come with refresh tokens or that do not expire.

(Bart Banda) #4

Sorry for the late reply…

The way that oauth tokens work is that they are either per user for the login session, or global for everyone, where a refresh token can be used.

If you are connecting to an API where each request is based on the user’s credentials, then you can’t use a refresh token. You would have to get the user to sign into Matrix first using the OAuth account manager connected to the 3rd party IDP where you want to get data from, and then use that token fetch any data from that systems API.

Are your users logging in to your Matrix website at all using OAuth SSO?

(Ben Chapman) #5

Thanks for that Bart. However, I’m not sure if I can use the oAuth account manager for what I want to do, unless it is a special case. The API is not based on user credentials in this way. Rather, it uses the client credentials grant type.

I simply want to retrieve some data through the API, and then probably run it through a JSON data source. I need to keep the data up to date, which will require obtaining new tokens periodically.

I am able to use a REST resource to obtain the token, instead of an oAuth2 token asset, which allows me to pull the token only when I need it. However, I can’t work out how to pass that token on to a REST asset without publically exposing the token.

I might start a new thread to ask for advice about this method.

(Bart Banda) #6

Yeah so that’s what the OAuth tokens are designed to to. They are meant to be used to keep tokens for REST asset use. The rest assets are designed in a way that they can try and make an API call using the token, and if it’s expired, it can try and request a new token using the refresh token ID which is normally supplied by the API, so you don’t have to worry about it at all.
Have you got a link to the API integration docs for Sringshare that we can look at?

Passing an oAuth token to a REST resource privately
(Ben Chapman) #7

Happy new year Bart.

Here’s the help page for the LibGuides API: https://ask.springshare.com/libguides/faq/873.

(Bart Banda) #8

Thanks Ben, and HNY to you to!

I had a quick look at the docs and they don’t seem to offer any instructions on how to create refresh tokens… :confused:

Maybe they don’t want people to automatically re-auth using their OAuth API? Especially since they offer an expire on their auth tokens…

I can’t see anything in their docs about how to authenticate via OAuth either…

Is there anything in the application itself under the The API Authentication page that talks about refresh tokens?

You might have to just request a new auth token each time and use that somehow in the following API requests if they don’t offer a way to refresh their tokens.

(Ben Chapman) #9


The application instructions don’t mention refresh tokens at all, they just give details for getting a token and how to send that on in the resource request header.

My interpretation is that for LibApps a new token is supposed to be requested each time the API is called. My knowledge of oAuth anthentication is thin, but my readings on the topic suggest that it is not advisable to use refresh tokens for client credentials grant types because getting a new token is actually more straightforward than validating a refresh token.

I would be quite happy to retrieve a fresh token for every resource request. However, the only way I can see to do this natively in Matrix is to use a REST resource asset for the authentication request, but this necessarily exposes the token to the front end.

Am I missing some settings for the oAuth asset or REST asset that might work for me?

(Bart Banda) #10

I’ve never attempted that kind of repeated auth token generation with Matrix before. But what you might be able to do is to set up a trigger that first calls the API to get the auth token and store that in a globals session variable (use the Call REST Resource action), and then use that is the subsequent REST call in the custom header field using the %globals_session_X% keyword to source the temporary token. Then you just figure out how you want to call the trigger first which then fires off the second REST call to do the actual data API call. Does that make sense?