cancel
Showing results for 
Search instead for 
Did you mean: 

API Platform - OAuth 2.0 Tokens

alain-bates
Deputy Chef I
Deputy Chef I

Is there any way to generate a new access token for an OAuth 2.0 access profile before an existing access token expires?


I've built an API Endpoint in Workato using OAuth 2.0 authentication and the developers of the application calling the API have reported intermittent HTTP 401 errors, which appear to be related to the OAuth 2.0 access token expiring. Their application is currently configured to refresh OAuth tokens on a recurring schedule. In this case, they've configured the tokens to refresh every 30 minutes, as Workato access tokens are valid for 1 hour according to the documentation (https://docs.workato.com/api-mgmt/oauth2.html#obtain-oauth-2-0-access-token). However, when the application requests another access token before a previous one has expired, the request to the access token URL returns the original token again with a reduced expires_in value, rather than returning a new token. This means that there are short intervals between their access token expiring and the scheduled refresh from their application, where they don't have a valid access token to authenticate requests to the API in Workato.


I've discussed some potential improvements they can make such as checking the validity of the access token in their code before sending any requests to the API in Workato.

However, I'd be interested to know if it's even possible to refresh an OAuth access token without having to wait for the previous one to expire first or if there are any documented best practices on managing the refreshing of access tokens, so I can advise other developers looking to call APIs in Workato on how to avoid similar issues in future.

If it's not possible to generate a new OAuth access token without waiting for the previous one to expire first, then I'd guess the approach of relying on a scheduled refresh of access tokens is probably not a good idea, as there'd always be short gaps between the previous token expiring and the new one being requested, where an application wouldn't have a valid token to use.

4 REPLIES 4

ben-urbanski
Workato employee
Workato employee

Hello, Alain. We plan to release a new signed OAuth token enhancement this month. It replaces our existing token format with a self verifying signed token format that includes its expiry, and the expiry will be set to one hour every time a new token is requested (cc: Ee Shan Sim).

alain-bates
Deputy Chef I
Deputy Chef I

Thanks for the information Ben. I'll keep an eye out for the release, as it sounds like this enhancement will make things easier for us.

eeshan
Workato employee
Workato employee

Alain Bates we released an update earlier today that addresses this problem. Every token request generates a fresh and unique token. This means that they have independent expiration times (1 hour). API clients can now use a simple scheduled token refresh strategy rather than something more complex to avoid the "downtime" that you described.


More details available in our docs page: https://docs.workato.com/api-mgmt/oauth2.html#_0auth-2-0-token


Thanks for the update! I've just tested the new OAuth token behaviour now and it looks like this'll make it a lot easier for our API clients to implement their token refresh strategy.