You are viewing limited content. For full access, please sign in.

Question

Question

Refresh API Access Token in Workflow Automatically?

Workflow Version 10 Integrations
Updated September 7, 2021
asked on September 7, 2021

Hey guys,

Just a quick one to see if anyone has done this before.

We are looking to integrate with a non-laserfiche service using the web request activity in Workflow to send requests to an internal API endpoint, however the service we are using requires authentication using an access token. The request to the authentication service returns something similar to the following, which then requires us to use the access token as authentication for any subsequent requests.

{
  "access_token": <access token>
  "expires_in": 3600,
  "refresh_expires_in": 0,
  "token_type": "Bearer"
}

We can get this working by requesting a new access token immediately before any API request we make in workflow (i.e. one request to the authentication service to gain a token, followed by another request to perform the actual API call) but this results in having to request a lot of new access tokens, when theoretically we could use the same token for up to an hour.

My question is - is there a way to refresh the access token automatically in the background somehow and use it across multiple different workflow instances to authenticate requests? Maybe using a cookie or something?

As I said, the way we have it working at the moment does work, but as we build more workflows that use this authentication service it's going to generate a lot of requests to the service, which may have some performance impact for the customer.

Cheers!

Dan

0 0

Replies

replied on September 7, 2021

You are right, access tokens aren't meant to be refreshed before every single request.

The way I'd go about this is by storing the 'refresh_token', the 'access_token' and 'expires_in' inside metadata fields on a document in the repo. You can use entry and field security to hide them from regular users.

There's a few different ways to handle the OAuth flow itself:

1. You can have a separate workflow that runs on a schedule (e.g. every 5 minutes) and checks to see if the access token is about to expire in, say, 10 minutes. If it is about to expire, renew it and store the new token in the metadata field for other workflows to use.

2. Have every request take place inside a try-catch branch. If the try branch fails because the access token expired (typically represented by a 401 status code, but depends on the service), renew it in the catch branch (which you can do via an invoked workflow) and then retry the failed request.

I think the second approach will be more reliable, because theoretically these tokens can be revoked by the third party, which may happen during an interval when the scheduled workflow has not run yet.

1 0
replied on September 7, 2021 Show version history

This will never have an impact to the customer because the workflow always runs in the background, and never blocks the UI.  "So what!" if you generate a lot of access tokens from workflow to workflow.  Unless there's a 3rd-party constraint that you can't generate X-# of access tokens per X-time limit, it's the 3rd-party's responsibility to manage those anyway!  Generating an access token is a tiny footprint, generally.

That being said, if there were a 3rd-party constraint, or I had custom apps that would suffer a performance hit, I would immediately implement @████████ 's suggestion ... using a scheduled task, instead of a scheduled workflow

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...