Post

6 followers Follow
0
Avatar

Get new refresh token

Hi !
Recently we ran into the "API auth error: Sorry, your OAuth grant has expired." issue. After reading the related topics on this forum I tried to implement the fix (store the new refresh token when given) but I'm not sure if it solved the problem.
Therefore I still have some questions.
When a user grants access to an App, the grant is unlimited in time. Correct?
refresh tokens expire in 28 days, but before this expiration date Podio sends a new refresh token. Yes? a. Is it sent when a new oAuth token is requested, or at a random Podio API execution? b. How much time before the expiration will Podio provide us with a new refresh token. Or put differently: when I request a new oAuth token, will it pass the new refresh token 2 days, 1 day, 4 hours before the current refresh token expires?

Vijay Kumar

Please sign in to leave a comment.

13 comments

0
Avatar

Hi Vijay,

Please have a look at the section "Refreshing Expired Tokens" in the Podio Authentication documentation. When you get your access token, you also get a refresh token and the expires_in property shows the number of seconds until the access token expires. You should use the refresh token to renew your access token prior to expiration. If you're using an SDK, it may have auto-refreshing of access tokens (e.g. podio-rb).

Best,
Andreas

Andreas Garnæs 0 votes
Comment actions Permalink
0
Avatar

Hi Andreas !

I think you getting the context wrong. I am talking about getting new refresh_token not getting new access_token. Refresh_token get expire every 28 days. Before the refresh token expires Podio return a new refresh token when refreshing the access token as per this discussion :-

https://help.podio.com/hc/communities/public/questions/200514848-Why-is-itduzzit-integration-have-to-be-renewed-every-28-days-#post_23731678

But here "before the refresh token expires" is not clear. when exactly(exactly after 28 days or before it) Podio return new refresh_token i.e. when I need to refresh access_token so that I can get new refresh_token.

Vijay Kumar 0 votes
Comment actions Permalink
0
Avatar

When the access token expires, you can use the refresh_token to "refresh" your access, and gain another access token. You get a new refresh token when you refresh your access token.

Andreas Garnæs 0 votes
Comment actions Permalink
0
Avatar

It is not returning new refresh_token. This is my old Podio credential :-
{
"access_token" : "59ba9ca410f84a3f877993ea493a7439",
"token_type" : "bearer",
"ref" : {
"type" : "user",
"id" : 2718133
},
"expires_in" : 28800,
"refresh_token" : "e0cfb0b3c57e42d38ad97807c3de4d9e"
}

After refreshing access_token, I got :-

{
"access_token": "ed1ddb0d7d7b4cdbb038173334923999",
"token_type": "bearer",
"ref": {
"type": "user",
"id": 2718133
},
"expires_in": 28800,
"refresh_token": "e0cfb0b3c57e42d38ad97807c3de4d9e"
}

You can clearly see refresh_token remain same. Please let me know how to get new refresh_token. It's urgent. Our app is being used by customers.

Vijay Kumar 0 votes
Comment actions Permalink
0
Avatar

You should just continue using the refresh_token returned in the response. The validity of the refresh token is extended as part of the refresh call.

Unless you're implementing something with strict latency requirements, I would recommend to just use the approach from podio-rb, i.e. if you get a token expired error, perform a refresh call and perform the same request again with the new access token.

Andreas Garnæs 0 votes
Comment actions Permalink
0
Avatar

sometimes while refreshing access_token, I am experiencing this error :-

{
"error_parameters": {},
"error_detail": "oauth.refresh_token.invalid",
"error_propagate": true,
"request": {
"url": "http://api.podio.com/oauth/token",
"query_string": "grant_type=refresh_token&client_id=xero-podio&client_secret=k7WFxo5Z9X02dgM2vV5rrXi0vT8VzxtQEHqDkgl5gVfdTOWMOsxWDCRKptcnCUVM&refresh_token=a557674b3fbe45c18afc0123b1ede92c",
"method": "POST"
},
"error_description": "Sorry, your refresh token is invalid.",
"error": "invalid_grant"
}

what is needed to do to avoid this error ?

Vijay Kumar 0 votes
Comment actions Permalink
0
Avatar

That response would seem to indicate that the refresh_token does not exist. Would it be possible for you to share a sequence of API calls (requests and responses) which leads up to this?

Andreas Garnæs 0 votes
Comment actions Permalink
0
Avatar

I've looked up the refresh token from your request and it doesn't exist in the database. To investigate why this is the case, I need to a lot more detail to look further into this, preferably the HTTP requests and responses. Otherwise I would ask you to ensure that you're passing in the correct refresh_token when refreshing the access token.

Andreas Garnæs 0 votes
Comment actions Permalink
1
Avatar

Looks like their implementation of refresh token flow does not return new refresh token with every refresh of an access token. I had same problem with my app where it was not generating new refresh token every time when I tried to get a new access token using refresh token. According to OAuth specification it is optional to return new refresh token:

(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issues a new access token (and,
optionally, a new refresh token). (https://tools.ietf.org/html/rfc6749#section-1.5)

I had to specifically specify to invalidate refresh token once it was used to generate an access token and return new refresh token along with the new access token.

Hopefully this will help you and Podio to resolve this

Maksim Ustinov 1 vote
Comment actions Permalink
0
Avatar

I am also having the same problem, i don't want user to reauthenticate them self to podio from our app 

Ashwin Sathwane 0 votes
Comment actions Permalink
0
Avatar

"You should just continue using the refresh_token returned in the response. The validity of the refresh token is extended as part of the refresh call."

Does this also apply if the `refresh_token` has not been used for an extended period of time - eg. 3 months?

Rabbitco.re 0 votes
Comment actions Permalink
0
Avatar

Any update on this thread ?

I need to implement similar thing and just want to make sure refresh token is updating or not. Can some one confirm who is using this authentication approach.

Bajarang 0 votes
Comment actions Permalink