OAuth access token expiry and refresh token API

(Hsamson) #1

On going through the OAuth based SmartApp development process, I noticed that the access token generated has a very long expiry. The ‘expires_in’ field is set to ‘1576799999’ which translates to approximately 50 years if the property is implemented as seconds (Please correct me if i’m wrong). Will this access token expiry time reduced in future for better security?

Also i couldn’t find any API for refreshing the access token. Is this implemented somewhere?

OAuth createAccessToken /api/token revoking?
Auth Bearer expiry/validity
(Michael) #2

I have been trying to figure this out as well with an external application opening my garage. The API is documented here: http://docs.smartthings.com/en/latest/smartapp-web-services-developers-guide/implementation.html

In my experience the access token only works once and then you have to go through the entire process again by obtaining an OAuth authorization code as well as the manual (human) interaction of authorizing the device. The manual step is something I am having issues with and curious if anyone has gotten around this. I would have thought the authorization code would not expire, but the access token would.

(Hsamson) #3

The access token will expire, eventually (in about 50 years). You wouldn’t have to worry about this if you don’t plan to run your app for more than 50 years. You don’t need the authorization code after you get an access token. You can get the installation endpoint URL by hitting: https://graph.api.smartthings.com/api/smartapps/endpoints?access_token=<Your access token>. Using the installation endpoint, you can access your SmartApp’s rest endpoints until the access token expires without any more user authorization.

By the way i’ve noticed that once you get the access token, using the URL to generate access token using the authorization code throws an error. I guess that would mean that the authorization code can be used only once.

In many OAuth 2 implementations, a way to refresh tokens is also provided along with a shorter expiry time for the access token (This stackoverflow question details about use of access and refresh tokens: http://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens). And hence my original question, in case any changes are made to the access token expiry settings.

Hope this helps.