Retrieving access token for third party app

ross1 · August 18, 2022, 10:01pm

I’ve been attempting to integrate a third party application with an M2M app following the instructions here. When testing the OAuth process, I’ve noticed the redirect URL that gets followed after providing access uses a # instead of a ? in the query string URL. This makes it so the access token provided cannot be parsed on the third party server. Just wondering if anyone knows a way to resolve this or if I may be going about this process wrong?

john.gateley · August 19, 2022, 1:04pm

Hi @ross1

Something isn’t right - third party apps are for users, and M2M apps are NOT for users.

You shouldn’t be trying to auth to a M2M app this way.

John

ross1 · August 19, 2022, 8:13pm

Hi John,

Okay, I guess I misunderstood what the different application types were meant for. After switching to a regular web application I’m still encountering the same issue. Any advice on how to get around it would be appreciated!

Thanks,
Ross

john.gateley · August 22, 2022, 3:02pm

Hi @ross1

Good - the next step is to properly get the access token. Is your app a SPA or a regular web app. I am assuming it is a regular web app that has a backend/server component.

You need to use the Auth Code flow, where the backend exchanges a code for the token.

This is normally done behind the scenes with an SDK (or one of our quickstarts).

See the docs here:

John

ross1 · August 22, 2022, 6:31pm

Hi John,

Yes the app is a regular web app. I’ve managed to perform the Auth code flow and receive a token, however this token appears to have an expiry. Ideally after the user provides permission to my third party application I’d want to be able to make calls on behalf of the user indefinitely. Is such a thing possible or would this require a different type of application or flow?

Thanks,
Ross

john.gateley · August 23, 2022, 12:57pm

Hi @ross1

Access tokens cannot be revoked, so an infinite lived access token would be a very bad thing - if it were compromised, the attacker would have access forever.

Access tokens should be short lived, and new ones created either by silent login and the web app session or by using a refresh token.

For 3rd party apps, refresh tokens are probably the way to go. And you can have infinite lived refresh tokens.

John

ross1 · August 24, 2022, 1:16pm

Hi John,

Okay, I guess refresh tokens are going to be the way to go with this. Thanks for all your help!

Cheers,
Ross

Topic		Replies	Views
SPA+Backend+3rd party API - Best practices for Authorization Code flow Help authorization-code-f	5	12576	March 27, 2019
AWS Lambda M2M OAuth Help sessions , reusable-refresh-tokens	2	688	November 29, 2023
Get/Create Refresh token Help classic-universal-login-experience , login-experience	6	469	April 26, 2024
Oauth/token not returning refresh token Help refresh-tokens	10	22850	August 29, 2023
Generate User Token on behalf of user OR exchange token with API Management? Help sso , application	1	143	July 5, 2024

Retrieving access token for third party app

Related Topics