Solved: Re: Refresh access token without asking the user t...

eDeveloper · ‎10-08-2015

Hi Friends,

Regarding the authorization :

If the client application uses "Authorization Code Grant Flow" mechanism to get the authorization, Can the client application use refresh token to keep the active token (has lifetime) unless the user revokes authorization.

Here is the scenario,

The client application needs to fetch the user Fitbit data after the user authorize the client application.

But we don’t want to ask the user to reauthorize it again and again. Please let me know.

Thanks in advance!

JeremiahFitbit · ‎10-08-2015

Yes, the refresh token provided as part of the Authorization Code Grant flow allows your application to perpetually renew the access token so that the user does not have to repeatedly go through the authorization process. Note that the refresh token changes every time it is used and a specific refresh token can only be used once.

View best answer in original post

JeremiahFitbit · ‎10-09-2015

That sounds correct. The refresh token does not expire after an hour, so you would be able to use the refresh token 3 days later to get a new access and refresh token.

View best answer in original post

JeremiahFitbit · ‎10-08-2015

Yes, the refresh token provided as part of the Authorization Code Grant flow allows your application to perpetually renew the access token so that the user does not have to repeatedly go through the authorization process. Note that the refresh token changes every time it is used and a specific refresh token can only be used once.

eDeveloper · ‎10-09-2015

Thanks Jeremlah! Is the refresh token specific to the user or client level..?

JeremiahFitbit · ‎10-09-2015

The refresh token is paired with the access token. It is specific to the user.

eDeveloper · ‎10-09-2015

So, If I want to maintain 100 users authorization status (no expiry) then I need to make 100 calls for every hour to refresh the tokens. Right..?

JeremiahFitbit · ‎10-09-2015

@eDeveloper wrote:

So, If I want to maintain 100 users authorization status (no expiry) then I need to make 100 calls for every hour to refresh the tokens. Right..?

You can refresh the access token at any time, even after it has expired. If you are making API requests every hour, then yes, you would need to make 1 refresh request every hour per user.

eDeveloper · ‎10-09-2015

Got it. I appreciate your help.

Final clarification,

I can use refresh token to refresh Access token at anytime. But, the unique refresh token will useful for one time only (as it create new refresh token per each refresh request).

Scenario,

1) User authorized the client application to get Fit bit data.

2) Fit bit sent authorization code to the client application.

3) Client application got refresh token and Access token by using Authorization code.

4) After 3 days, The client application will not be able to use access token to fetch the user data as it's expired in hour.

But the client application can use 3-days old 'Refresh token' and get the Access token and also fetch the user data by using the refreshed Access token.

Am I right..?

JeremiahFitbit · ‎10-09-2015

That sounds correct. The refresh token does not expire after an hour, so you would be able to use the refresh token 3 days later to get a new access and refresh token.

eDeveloper · ‎10-09-2015

Thanks a lot!

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Refresh access token without asking the user to reauthorize

eDeveloper

JeremiahFitbit

JeremiahFitbit

JeremiahFitbit

eDeveloper

JeremiahFitbit

eDeveloper

JeremiahFitbit

eDeveloper

JeremiahFitbit

eDeveloper