Retrieving access token for third party app

I’ve been attempting to integrate a third party application with an M2M app following the instructions here. When testing the OAuth process, I’ve noticed the redirect URL that gets followed after providing access uses a # instead of a ? in the query string URL. This makes it so the access token provided cannot be parsed on the third party server. Just wondering if anyone knows a way to resolve this or if I may be going about this process wrong?

Hi @ross1

Something isn’t right - third party apps are for users, and M2M apps are NOT for users.

You shouldn’t be trying to auth to a M2M app this way.

John

Hi John,

Okay, I guess I misunderstood what the different application types were meant for. After switching to a regular web application I’m still encountering the same issue. Any advice on how to get around it would be appreciated!

Thanks,
Ross

Hi @ross1

Good - the next step is to properly get the access token. Is your app a SPA or a regular web app. I am assuming it is a regular web app that has a backend/server component.

You need to use the Auth Code flow, where the backend exchanges a code for the token.

This is normally done behind the scenes with an SDK (or one of our quickstarts).

See the docs here:

John

Hi John,

Yes the app is a regular web app. I’ve managed to perform the Auth code flow and receive a token, however this token appears to have an expiry. Ideally after the user provides permission to my third party application I’d want to be able to make calls on behalf of the user indefinitely. Is such a thing possible or would this require a different type of application or flow?

Thanks,
Ross

Hi @ross1

Access tokens cannot be revoked, so an infinite lived access token would be a very bad thing - if it were compromised, the attacker would have access forever.

Access tokens should be short lived, and new ones created either by silent login and the web app session or by using a refresh token.

For 3rd party apps, refresh tokens are probably the way to go. And you can have infinite lived refresh tokens.

John

Hi John,

Okay, I guess refresh tokens are going to be the way to go with this. Thanks for all your help!

Cheers,
Ross