Refreshing Authorization For External Applications
An application refreshes currently valid authorization in silent mode as long as it sends requests to the service at least once a month. The following scenario is most common.
- An application uses client_id to get the value of code, which is imperative to get the authorization token.
A user opens the following address in a browser:
The browser will now redirect to the application URL passing the first authentication code (the code).
- The application uses clent_id, client_secret and code to get the values of access_code and refresh_token.
The application sends a request:
The server will reply with a JSON string like:
- The application uses access_code to send REST requests until the access code is expired.
- access_code will expire in an hour. The application can then use refresh_token to get a new access_code.
- If refresh_token is still valid (was obtained less than a month ago), the application gets new valid access_code and refresh_token and proceeds to the step 3.
- If, however, refresh_token has expired, a user will have to authenticate again manually next time a REST request is going to be sent out.
In fact, a user intervention is only required at the first step. If the application is in frequent use, at least once per month, authorization will refresh in silent mode indefinitely.
Notice that this algorithm is only applied to external applications. Hosted applications obtain and refresh authorization automatically.