如何在没有用户干预的情况下获得 OAuth2 身份验证

Question

I am making an API call that requires OAuth2. I initially make the call and authorize it with a login via the web. I'm then taking the supplied Refresh Token and using it to make subsequent calls in my application.

The issue is that in the subsequent calls the Refresh Token is used up and I get a new one. I save this new one in the database and then use that saved one on the next call. This works great for about xx number of calls and then for some reason the Refresh Token goes bad and I have to go and manually grab one through the web login again.

I have no way to tell, that I know of, when the token goes bad or why.

Is there a way to just send the login info or the OAuth2 info or something that'll get me a new valid Refresh Token without me having to "authorize" my own app?

The API that I am using is Constant Contact.

Answer 1

The OAuth standards are based on 2 forms of expiry:

ACCESS TOKENS

These are short lived API credentials and a common lifetime is 60 minutes. When they expire the API client receives an HTTP response with a 401 status code. The client can then try to silently renew the access token.

REFRESH TOKENS

These are long lived credentials that represent a user session, and a common lifetime is 8 or 12 hours. During this time the access token can be renewed silently. Eventually however, the refresh token itself expires and the silent renewal request results in an error with an invalid_grant error code.

USER RE-AUTHENTICATION

There are very good reasons for making users re-authenticate and I would avoid trying to bypass this. Tokens that last for a very long time are not recommended. Usability can be pretty good with only an occasional re-authenticate operation, along with features such as password autofill.

FURTHER DETAILS

• See steps 26 and 29 of my Message Workflow
• Code that handles 401 checks
• Code that handles ErrorCodes.invalidGrant