question

grant-botma avatar image
grant-botma asked benjamin-dean commented

Text Automation

I built a private app for a client about a year ago that allows him to set up HTTP posts throughout sales campaign sequences in his CRM that automate text messages from his team to clients. I'm wondering if this would be possible in a public application. Since the password auth flow isn't available in public applications, is there any way to re-authenticate a client in the background? The only way I can think of would be to encrypt and store a token (not ideal) and then re-use it when a request is made to our server. This would still require users to log in and obtain a new token on a regular basis, which detracts from the 'automation' appeal. If storing and reusing access tokens is what you'd recommend, what is the max that the 'refresh_token_expires_in' value can be set to?

Just double checking - a private application can only send messages from the account it was built for, correct?
topic-default
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

6 Answers

·
Tyler Liu avatar image
Tyler Liu answered
Since the password auth flow isn't available in public applications

I don't think so. Where did you get this information?


what is the max that the 'refresh_token_expires_in' value can be set to?

A week, or 604800 seconds. 


a private application can only send messages from the account it was built for
Private apps will be available for the users belonging to your RingCentral account only. Public apps will be available for users from other RingCentral accounts as well.
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

grant-botma avatar image
grant-botma answered
I don't think so. Where did you get this information?
I don't see it anywhere in the docs, but when creating a new app, the Authorization Flows that appear when 'Public' is selected don't include password flow, no matter the platform type. Also, I tried authenticating via password flow in a public application and received an error message letting me know that I was unable to authenticate using that method. Should I be able to use password flow in a public application? Do you know how I could enable that functionality?
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Tyler Liu avatar image
Tyler Liu answered
Hi, I just checked and I think you are right. Public app does NOT support password flow. I was not aware of this limitation before.
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

grant-botma avatar image
grant-botma answered
So is there another way to authenticate a client or retrieve a new auth token in the background so users won't need to enter their credentials on a regular basis?
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

benjamin-dean avatar image
benjamin-dean answered benjamin-dean commented
Hello Grant,

Using the Authorization Flow (3-Legged OAuth), your application code can enable customers to authorize an application to act on their behalf. Once a user has granted your application permission to do this, the Redirect URL of your application will receive a request with a "code" which your application then uses to obtain a valid "access_token" for that user (it also will have a refresh token). Here are some Authorization Flow implementation examples in multiple languages:  https://github.com/grokify/ringcentral-demos-oauth (you can also find these organized by programming language on the RingCentral Developer Portal SDK page).

Your code should cache the access_token and refresh_token, and then set a timer based on the refresh_token_ttl (the length of time to live for the until the refresh token expires).

Your application code should use the refresh token flow, when one of the following occurs:

1. Your access_token has expired, and the refresh_token is still valid (this is typically done while the user-session is still active).
2. When 80% of the refresh_token_ttl seconds have expired (this way your application still has 20% of the TTL seconds available in cases where there is a non-HTTP-200 response received while attempting to refresh your refresh token (this is typically done for long-running processes or service-workers such as what you've described for your use case).

The reason that RingCentral prohibits Password Flow on Public applications is because when a developer indicates an application will be public, that application has the ability to be installed in RingCentral accounts which are NOT part of your organization (which means that your API keys will be invalid for use while attempting to obtain an access_token) and because otherwise you would be required to store RingCentral usernames/passwords in your database(s) and this is a security risk we do not want you to be responsible for owning, and which we do not want to expose upon our users.
5 comments
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

grant-botma avatar image grant-botma commented ·
Hi Benjamin - Thank you for the detailed response.

I'm using the Ruby-SDK, which isn't listed under the official SDKs but seems to function similarly.

Our app is already implementing 90% of what you'e described - a user will log in, and hit an auth endpoint generated by the REST client. We're successfully caching tokens using the code provided in the callback URL after authenticating an account.

Unfortunately, the documentation for the refresh token flow isn't very extensive on the ruby-sdk readme - here's what it says:
The client automatically adds the correct access token to the HTTP request and handles OAuth token refresh using the  OAuthgem
I'm able to use the cached token with a new Rest Client, and the refresh performs automatically if the token's 'expires_at' time has passed, however I can't get access to the refresh token object after the refresh has been performed. Will I be able to reuse the original token object indefinitely so long as it's refreshed within a week of when the previous refresh was performed? I was under the impression that the refresh token would cease to work one week (or however long the 'refresh_token_expires_in' is set to) after the original token was issued.

One more question: does each number associated with a Ring Central account need to go through the Authorization Flow, or is a company administrator able to retrieve a token for the main (company) number that can be used by each number belonging to the account?

Thanks for your help, hope you're having a good day.
1 Like 1 ·
benjamin-dean avatar image benjamin-dean commented ·
The Ruby SDK is actually an official SDK and is part of the RingCentral Github Repositories ( https://github.com/ringcentral-ruby/ringcentral-sdk-ruby), but it has not been updated as such on the Developer Portal SDK page ( https://developers.ringcentral.com/library/sdks.html).

I would suggest adding a question on the issue tracker for the official Ruby SDK asking about refresh token flows and if the SDK caches / refreshes long-running sessions (and reference this community post as well) to get guidance or a solution from the authors:  https://github.com/ringcentral-ruby/ringcentral-sdk-ruby/issues

Regarding if each user (number/extension) needs to authorize an application, that is going to depend upon the requirements and operations said application performs and if it requires an administrator (for account-wide configuration) or other role. If you could provide some specifics, I might be able to help further.

Happy to help, having a great day, and hope you do too!
1 Like 1 ·
Tyler Liu avatar image Tyler Liu commented ·
Ruby SDK is unofficial because it lives in  https://github.com/ringcentral-ruby/ instead of  https://github.com/ringcentral/ .

Once a token is refreshed, the server returns a new token. The original token becomes useless and you can no longer do anything with it. So you should always save and use the new token.

Just my 2 cents for your reference.
1 Like 1 ·
grant-botma avatar image grant-botma commented ·
Awesome - the refresh token question has been directed to the gem creators/maintainers.

Regarding the application requirements & operations - the app is going to send automated text messages from a company's CRM. The messages will be sent from any/all of a company's employees, so we need to be able to send messages from any number associated with a given Ring Central account.

Does that give you enough info to answer the question about whether each user will need to retrieve an OAuth token, or whether a token for the main account line will be sufficient?

Thanks again for the help! 
0 Likes 0 ·
benjamin-dean avatar image benjamin-dean commented ·
You are correct Tyler (my fault I thought I saw the "ringcentral" org in the Github repository URI. My fault.
0 Likes 0 ·
Tyler Liu avatar image
Tyler Liu answered
Dean is correct. You can use the refresh token flow to refresh the token on a regular basis(to obtain a new refresh token before it expires). Each user only need to authorize your app once and only once.
1 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.