OAuth issues

6505
6
08-06-2013 12:22 PM
BrianFlood
Occasional Contributor
hello

I'm trying to exchange an authorization code for an access token and I'm getting a weird error about missing a "redirect_url" (which I thought was not even necessary for this part of the flow)

POST https://www.arcgis.com/sharing/oauth2/token

body:
code=LPr6MySmwV9msk5IudznYfsQgGXcLFmN1dt9XpNoWE-nSi4UeGldhVSiroOzEfiieP30udISuUdR15sxRjcij7UkSATbrRmWXDNo0E_k7VrGolKRmOYa0ILwhX4x_2va0XIVi-RBupeF4SWE7rWtnWmIksxdoiH2jIw3kA3uvqx56ZlbQM_-pcT6v3wYAk6dtXkRik_taKiBB71qS34kzw..&client_secret=MY_VALID_CLIENT_SECRET&grant_type=authorization_code&client_id=FO7xwMrLHLjijBnD

response:
200 {"error":{"code":400,"error":"invalid_request","error_description":"redirect_uri not specified","message":"invalid_request","details":[]}}


also, how long to the refresh_tokens last? can the original auth code be used to get a new refresh_token if it expires? (generally with other APIs they don't but in the docs they say it lasts about two weeks)

cheers
brian
Tags (2)
0 Kudos
6 Replies
BrianFlood
Occasional Contributor
fwiw, the "redirect_uri" param is necessary for token requests (this is missing in the online docs here https://developers.arcgis.com/en/authentication/user-php-other.html)

working now, moving on...

cheers
brian
0 Kudos
PatrickArlt1
Esri Contributor
Looks like the docs are incorrect, refresh tokens should last forever.
0 Kudos
BrianFlood
Occasional Contributor
refresh_tokens - thanks, that makes more sense, had never come across refresh tokens that expired before

also, you should add that "redirect_uri" is needed when requesting an access token, thats missing from the docs too

cheers
brian
0 Kudos
PatrickArlt1
Esri Contributor
So you need to pass "redirect_uri" when calling https://www.arcgis.com/sharing/oauth2/token? Just want to make sure I know exactly what needs to get updated.
0 Kudos
BrianFlood
Occasional Contributor
yes, or you get the error above.

fwiw, it appears other API's require the redirect_uri to be passed in for verification (not actual redirection). see DropBox's OAuth2 token request: https://www.dropbox.com/developers/core/docs#oa2-token
0 Kudos
BrianFlood
Occasional Contributor
I'm starting to see Refresh Tokens expiring. This is what is described in the docs but, as patrick explained above, this should not happen. If this is the intended flow, how are we suppose to get a new refresh token? I've never seen another OAuth2 api that expired it's refresh tokens...

fwiw, do calls to refresh the access token sometimes return different refresh_tokens?

error:
'{"error":{"code":400,"error":"invalid_request","error_description":"refresh_token expired","message":"invalid_request","details":[]}}'



docs - https://developers.arcgis.com/en/authentication/user-php-other.html

relevant section (no mention on how to get a new refresh token):
"The refresh token can be used to obtain subsequent access tokens. Access tokens are short-lived. The app can get a new access_token by using the refresh_token obtained above. The lifetime of the refresh token that is returned by this call is controllable by the app. The default expiry time for the refresh token returned by this flow is two weeks. Using this flow, you can request a refresh token that is valid for a longer period by passing an expiration (in minutes) parameter during authorization. The refresh token that is returned may be valid for a shorter period than requested based on the maximum expiry time set by the user's organization or the platform."
0 Kudos