Clarify comment in OAuthDemo re refresh_token?

[SteveDCronin]

In `- (void)getUrl:(NSAppleEventDescriptor )event withReplyEvent:(NSAppleEventDescriptor )replyEvent

NSString url = [event paramDescriptorForKeyword:keyDirectObject].stringValue;
ZKSforceClient client = [[ZKSforceClient alloc] init];

[client loginFromOAuthCallbackUrl:url oAuthConsumerKey:OAUTH_CLIENTID];

// in a real app, you'd save the refresh_token & auth host to the keychain, and on // relaunch, try and intialize your client from that first, so that you can skip // the login step.`

I have all this working but was shocked that ` ZKOAuthInfo oauth = (ZKOAuthInfo )client.authenticationInfo;

NSString *refreshToken = oauth.refreshToken; `

refreshToken is nil upon the execution of this method...
Therefore this token cannot be stored in the keychain within this method....

When will the refreshToken exist such that I can actually store this token? Perhaps adding some clarifying comments in the method would help..

Interestingly (at least to me) the 'url' above DOES contain an 'access_token'... I don't see a direct 'zk' way to obtain this token... Is this token useful to me? e.g.: url:xyz.abc.productName-salesforce:/oauth#access_token=00D3i000000EL1H%21ARIAQBFx43ZxdTW2Q8NYcWxXsPmY_Bsi9OQQSd4s2CWCFV9t7aeVKTlrQVdSgybd1wT9TgLx9F_K8bJYTdaSjD1zIrJvR3Ld&instance_url=https%3A%2F%2Fna112.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D3i000000EL1HEAW%2F0053i000000uchMAAQ&issued_at=1563145801852&signature=XonWtMrqpGGeL3ejD%2FYifw7F5aHiiTbcCCzqjirC784%3D&scope=api&token_type=Bearer

Thanks for such a nice tool!

[SteveDCronin]

If, instead of saving the refresh_token and auth host, I save the url from above and then later (after a relaunch) simply do: [client loginFromOAuthCallbackUrl:url oAuthConsumerKey:OAUTH_CLIENTID];

will this work?

So I tried this and hit this error: INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session hash: dOb73r+x5UM5BAdmM3HgEtDndvWV2KnXgwjRjuPw8aY= This error usually occurs after a session expires or a user logs out.

I have monitored the instance of 'ZKSforceClient' over various states. In EVERY case its 'authenticationInfo.refreshToken' is nil.

Please advise on how to store a value in keychain that would permit subsequent login without an OAuth process.

[superfell]

In order to get a refresh token, your oauth consumer config needs to include the scope "Perform requests on your behalf at any time". Once you update the config, then you should get the refresh token that you can then stash away. As you've seen regular session Ids (aka access tokens) expire

[SteveDCronin]

Bingo!
This seems like advice that should be made directly visible to any to new users!

Thank-You.

[SteveDCronin]

What is your recommendation for the Refresh Token Policy?

In the meantime I’ve set it to ‘valid until revoked’…

On Jul 15, 2019, at 4:15 PM, Simon Fell notifications@github.com wrote:

In order to get a refresh token, your oauth consumer config needs to include the scope "Perform requests on your behalf at any time". Once you update the config, then you should get the refresh token that you can then stash away. As you've seen regular session Ids (aka access tokens) expire

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/superfell/zkSforce/issues/45?email_source=notifications&email_token=AAHYOD6TGBPHQCYK5RVNTFTP7UAK3A5CNFSM4IDGCSCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ7HKAQ#issuecomment-511603970, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHYODYGLLK5VUEXNSLQWI3P7UAK3ANCNFSM4IDGCSCA.

[superfell]

reopening to remind me to update the comments.

Valid until revoked seems reasonable, that's how most oauth flows work.