Documentation

Refreshing Authorization For External Applications

An application refreshes currently valid authorization in silent mode as long as it sends requests to the service at least once a month. The following scenario is most common.

  1. An application uses client_id to get the value of code, which is imperative to get the authorization token. A user opens the following address in a browser:

    https://intranet_name.bitrix24.com/oauth/authorize/?response_type=code&client_id=app_ID&redirect_uri=app_URL

    The browser will now redirect to the application URL passing the first authentication code (the code).

  2. The application uses clent_id, client_secret and code to get the values of access_code and refresh_token.

    The application sends a request:

    https://intranet_name.bitrix24.com/oauth/token/?grant_type=authorization_code&client_id=app_ID&client_secret=app_secret_code&code=first_authentication_code&scope=application_permissions&redirect_uri=application_URL

    The server will reply with a JSON string like:

    "access_token":"authentication_code","expires_in":3600,"scope":"granted_permissions","refresh_token":"authentication_refresh_code","domain":"Intranet_name","member_id":"Intranet_ID"}
  3. The application uses access_code to send REST requests until the access code is expired.

    https://intranet_name.bitrix24.com/rest/user.current?auth=authentication_code

  4. access_code will expire in an hour. The application can then use refresh_token to get a new access_code.

    https://intranet_name.bitrix24.com/oauth/token/?grant_type=refresh_token&client_id=app_ID&client_secret=app_secret_code&refresh_token=authentication_refresh_code&scope=granted_permission&redirect_uri=app_URL

  5. If refresh_token is still valid (was obtained less than a month ago), the application gets new valid access_code and refresh_token and proceeds to the step 3.
  6. If, however, refresh_token has expired, a user will have to authenticate again manually next time a REST request is going to be sent out.
  7. In fact, a user intervention is only required at the first step. If the application is in frequent use, at least once per month, authorization will refresh in silent mode indefinitely.

    Notice that this algorithm is only applied to external applications. Hosted applications obtain and refresh authorization automatically.



    User Comments

    User comments are not part of official documentation. Use information provided by other users in the comments at your own risk.

    The User Comments section is not to be used as a feature discussion board. Only registered users can post comments. Your comment will be visible once it has been approved by the moderator.
    © «Bitrix Inc.», 2001-2018, «Bitrix Inc.», 2018