E N D
FAQ on RingCentral OAuth Anirban Sen Chowdhary
We already have seen in our previous post the security and authentication maintained with RingCentral APIs. Every APIs of RingCentral are protected with RingCentral OAuth token protection.
Whenever we are calling any RingCentral API, be it SMS message creating API or FAX sending API or Call API we need to call RingCentral OAuth API to generate access_tokenand refresh_tokenthat are required gain access to these RingCentral APIs. Only a valid user or client with valid credentials can be able to generate these tokens which further give the access to the RingCentral APIs.
In this post we will look into some frequent questions that RingCentral users or clients face while accessing RingCentral APIs as dealing with RingCentral tokens.
Q) What is the url of RingCentraltoken API that generates tokens? Ans: The url of Oauth token API is /restapi/oauth/token. Where as the development sandbox host is : platform.devtest.ringcentral.com and production environment host is platform.ringcentral.com
Q) Where will we find Client ID and Client secret required for authentication and token generation? Ans: These are generally found in the developer dashboard section of each application. Each application has it’s own Client ID and Client secret. Even Client ID and Client secret of same application will be different in each environment. Eg.Production environment Client ID and Client secret will be different from that of Sandbox environment.
We need to select the application in the developer dashboard and go into the credentials section:
Q) How to regenerate Client Secret? What in case it is lost or compromised? Ans: Client secret cannot be regenerated. We need to create a new application if needed. Regardless, if our Client ID and Client secret have been attacked or lost/stolen, we should immediately suspend that application in the developer portal and then create a new application. If we want to maintain same features, we can clone the application instead.
Q) Is there any documented life span for both the tokens generated? What is the longevity of access_token and refresh_token? Ans: Following are the details: • Access token lifetime is 3600s = 1 hour • Refresh token lifetime is 7 days(1 week)
Q) Is there some way I configure the Oauth call not to generate refresh_token? Can it be disable? Ans: Yes, you can. Just use refresh_token_ttl=0 in the OAuth request along with your other parameters like grant_type, extensionetc. You will not display refresh_tokenas it will expire before it display in response and you can skip that in your API response. There are times when our application with RingCentral may not require the refresh_tokenas part of the token request. We can request token without refresh_token: username=[ringCentralUsername]&password=[ringCentralPassword]&refresh_token_ttl=0&grant_type=password
Q) Why refresh_token required along with access_token? Ans: Refresh tokens are the credentials that can be used to acquire a new access tokens without prompting the user. The lifetime of a refresh token is much longer compared to the lifetime of an access token. It also limit the use of the client credentials being sent over the network. The main idea behind refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.
Hope these important FAQ will resolve most of our curiosity and question on the RingCentral authentication mechanism for the developers. Next section I will bring some more FAQ on other topics.