Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
464 views
in Technique[技术] by (71.8m points)

docusignapi - How long the refresh token expires for the DocuSign API oAuth

the documentation from this link, said that Refresh tokens have a longer lifetime than access tokens, and you can use them to get new access and refresh tokens.. How long exactly before the refresh token expires in terms of seconds.

Thanks in advance.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

[I work for DocuSign. I consulted with the DocuSign Authorization engineering team to prepare this answer.]

The lifetime for refresh tokens vary depending on a variety of authentication policies.

After it expires, the client uses the Authorization Code Grant flow to request new tokens.

Since the human needs to be present whenever the Authorization Code Grant flow is used, this authentication technique should only be used for integrations where the authenticated user is present ("User Applications").

Other authentication techniques should be used for "Service Integrations."

Added

Not all Refresh Tokens in the DocuSign system have the same lifetime. Some will last for x amount of time, others will last for y amount of time. Why some will last for x and others for y depends on various authentication policies:

  • DocuSign platform policies
  • Account (customer) policy
  • The type of authentication that was performed when the user logged in
  • Etc

Re: other companies just use "14 days." DocuSign authentication enables the authenticated person to sign legal documents. So the question of the DocuSign token lifetime is not simple.

Bottom line: test your app to ensure that it gracefully handles expiration of both access and refresh tokens.

Added Aug 2018

Access Tokens received via the OAuth Authorization Code Grant flow usually have an 8 hour life. The accompanying Refresh Token usually has a 30 day life.

If extended scope is not requested in the authentication flow, then the Refresh Token, when used will return a new Refresh Token that will have the same expiration date as the original.

But if extended scope is requested, then, when the Refresh Token is used, the returned (new) Refresh Token will normally be good for an additional 30 days from that time.

So if extended scope is requested, and the user logs in at least once every 30 days, then the original and newly provided Refresh Tokens will enable the user to never have to re-authenticate himself or herself.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...