ysahil97
commented
2 years ago Thanks @schmorrison for highlighting this issue. This point has been hampering me in building my backend server with zoho crm integration.
Closed schmorrison closed 2 years ago
ysahil97
commented
2 years ago Thanks @schmorrison for highlighting this issue. This point has been hampering me in building my backend server with zoho crm integration.
schmorrison
commented
2 years ago @ysahil97 I have recently had success using the "self-client" option again. Though the mechanism is a little weird and limiting.
zoho.GenerateTokenRequest() to receive a valid token and refresh token. The only limitation this poses is the token needs to be first retrieved within the expiry time set for the code in step 2, and the token needs to be refreshed with zoho.RefreshTokenRequest() every 60-minutes (API requests should issue a refresh automatically though)
"Refresh Token: Used to obtain a new access token after the old one expires. A refresh token does not expire. The maximum number of allowed refresh tokens per account is 20. The 21st refresh token will replace the first created refresh token."
This seems to suggest that applications running with self-client api tokens will need to be restarted with a new "code" if they miss a refresh window. And that a single account is limited to 20 applications running with self-client api tokens.
This could be a good target for a PR, better token management. possible options maybe:
I haven't tried obtaining an api token via the zoho.AuthorizationCodeRequest() using a regular domain name (ie. not localhost) as the redirect URL. They may have included a limitation to that effect. Are you using a localhost redirect URL?
ArneZsng
commented
2 years ago Isn't this solved by requesting the authorization code with the "prompt=consent&access_type=offline" flow?
schmorrison
commented
2 years ago @ArneZsng I don't remember the prompt=consent parameter in the OAuth flow, this code certainly doesn't know about it. If you can link to a doc that gives that option on the request that would be awesome.
I've seen your pull request and will review it in a few hours when i return from work.
AFAIK this issue is unresolved for the prompt type flow. I may have time to test for a refresh token tonight.
ArneZsng
commented
2 years ago @schmorrison I found it here: https://www.zoho.com/accounts/protocol/oauth/web-apps/authorization.html
To quote:
access_type - Value can be 'offline' or 'online'. If the value is offline, you will receive a refresh token along with an access token for the first time you make the request. Once the access token expires you can use the refresh token to regenerate them. Whereas if the value is online, you will receive only an access token. If you forget your refresh token or cannot access it, use the following parameter along with access_type to receive a new refresh token. Note: If the access_type is not mentioned as offline, by default it will be considered as online. prompt - Value must be 'consent'. If this parameter is included in the query, every time you generate an OAuth token, the user's consent approval will be mandatory. Example: To receive another refresh token, include access_type=offline and prompt=consent in your authorization request.
If I include the prompt=consent flag in the original authorization request, I do get a refresh token and an access token in exchange for the auth code.
Hope this helps!
schmorrison
commented
2 years ago I'll address this tonight, unless you beat me to it. ;)
ArneZsng
commented
2 years ago Not today, we are triggering the flow from our frontend web app, so I did not touch that part yet. :)
Zohos OAuth2 flow no longer returns "refresh_token" in the resposne JSON. This issue prevents applications from renewing the access tokens and as a result do not run long than 1-hour without needing re-consent via the browser.
This is a critical issue. A ticket has been submitted to Zoho.