topic Re: OAuth issues in ArcGIS Online Developers Questions

OAuth issues

BrianFlood — Tue, 06 Aug 2013 19:22:57 GMT

hello

I'm trying to exchange an authorization code for an access token and I'm getting a weird error about missing a "redirect_url" (which I thought was not even necessary for this part of the flow)

POST https://www.arcgis.com/sharing/oauth2/token

body:
code=LPr6MySmwV9msk5IudznYfsQgGXcLFmN1dt9XpNoWE-nSi4UeGldhVSiroOzEfiieP30udISuUdR15sxRjcij7UkSATbrRmWXDNo0E_k7VrGolKRmOYa0ILwhX4x_2va0XIVi-RBupeF4SWE7rWtnWmIksxdoiH2jIw3kA3uvqx56ZlbQM_-pcT6v3wYAk6dtXkRik_taKiBB71qS34kzw..&client_secret=MY_VALID_CLIENT_SECRET&grant_type=authorization_code&client_id=FO7xwMrLHLjijBnD

response:
200 {"error":{"code":400,"error":"invalid_request","error_description":"redirect_uri not specified","message":"invalid_request","details":[]}}

also, how long to the refresh_tokens last? can the original auth code be used to get a new refresh_token if it expires? (generally with other APIs they don't but in the docs they say it lasts about two weeks)

cheers
brian

Re: OAuth issues

BrianFlood — Tue, 06 Aug 2013 19:37:20 GMT

fwiw, the "redirect_uri" param is necessary for token requests (this is missing in the online docs here https://developers.arcgis.com/en/authentication/user-php-other.html)

working now, moving on...

cheers
brian

Re: OAuth issues

PatrickArlt1 — Thu, 08 Aug 2013 01:10:38 GMT

Looks like the docs are incorrect, refresh tokens should last forever.

Re: OAuth issues

BrianFlood — Thu, 08 Aug 2013 01:16:54 GMT

refresh_tokens - thanks, that makes more sense, had never come across refresh tokens that expired before

also, you should add that "redirect_uri" is needed when requesting an access token, thats missing from the docs too

cheers
brian

Re: OAuth issues

PatrickArlt1 — Thu, 08 Aug 2013 14:17:49 GMT

So you need to pass "redirect_uri" when calling https://www.arcgis.com/sharing/oauth2/token? Just want to make sure I know exactly what needs to get updated.

Re: OAuth issues

BrianFlood — Thu, 08 Aug 2013 15:27:35 GMT

yes, or you get the error above.

fwiw, it appears other API's require the redirect_uri to be passed in for verification (not actual redirection). see DropBox's OAuth2 token request: https://www.dropbox.com/developers/core/docs#oa2-token

Re: OAuth issues

BrianFlood — Thu, 26 Sep 2013 18:07:37 GMT

I'm starting to see Refresh Tokens expiring. This is what is described in the docs but, as patrick explained above, this should not happen. If this is the intended flow, how are we suppose to get a new refresh token? I've never seen another OAuth2 api that expired it's refresh tokens...

fwiw, do calls to refresh the access token sometimes return different refresh_tokens?

error:
'{"error":{"code":400,"error":"invalid_request","error_description":"refresh_token expired","message":"invalid_request","details":[]}}'

docs - https://developers.arcgis.com/en/authentication/user-php-other.html

relevant section (no mention on how to get a new refresh token):
"The refresh token can be used to obtain subsequent access tokens. Access tokens are short-lived. The app can get a new access_token by using the refresh_token obtained above. The lifetime of the refresh token that is returned by this call is controllable by the app. The default expiry time for the refresh token returned by this flow is two weeks. Using this flow, you can request a refresh token that is valid for a longer period by passing an expiration (in minutes) parameter during authorization. The refresh token that is returned may be valid for a shorter period than requested based on the maximum expiry time set by the user's organization or the platform."