10-08-2015 16:27
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

10-08-2015 16:27
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Hi Friends,
Regarding the authorization :
If the client application uses "Authorization Code Grant Flow" mechanism to get the authorization, Can the client application use refresh token to keep the active token (has lifetime) unless the user revokes authorization.
Here is the scenario,
The client application needs to fetch the user Fitbit data after the user authorize the client application.
But we don’t want to ask the user to reauthorize it again and again. Please let me know.
Thanks in advance!
Answered! Go to the Best Answer.
Accepted Solutions
10-08-2015 17:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-08-2015 17:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Yes, the refresh token provided as part of the Authorization Code Grant flow allows your application to perpetually renew the access token so that the user does not have to repeatedly go through the authorization process. Note that the refresh token changes every time it is used and a specific refresh token can only be used once.

10-09-2015 13:54
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-09-2015 13:54
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
That sounds correct. The refresh token does not expire after an hour, so you would be able to use the refresh token 3 days later to get a new access and refresh token.

10-08-2015 17:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-08-2015 17:16
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Yes, the refresh token provided as part of the Authorization Code Grant flow allows your application to perpetually renew the access token so that the user does not have to repeatedly go through the authorization process. Note that the refresh token changes every time it is used and a specific refresh token can only be used once.

10-09-2015 06:21 - edited 10-09-2015 06:21
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

10-09-2015 06:21 - edited 10-09-2015 06:21
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Thanks Jeremlah! Is the refresh token specific to the user or client level..?

10-09-2015 10:36
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-09-2015 10:36
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
The refresh token is paired with the access token. It is specific to the user.

10-09-2015 11:10
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

10-09-2015 11:10
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
So, If I want to maintain 100 users authorization status (no expiry) then I need to make 100 calls for every hour to refresh the tokens. Right..?

10-09-2015 11:45
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-09-2015 11:45
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
@eDeveloper wrote:
So, If I want to maintain 100 users authorization status (no expiry) then I need to make 100 calls for every hour to refresh the tokens. Right..?
You can refresh the access token at any time, even after it has expired. If you are making API requests every hour, then yes, you would need to make 1 refresh request every hour per user.

10-09-2015 13:38 - edited 10-09-2015 13:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

10-09-2015 13:38 - edited 10-09-2015 13:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
Got it. I appreciate your help.
Final clarification,
I can use refresh token to refresh Access token at anytime. But, the unique refresh token will useful for one time only (as it create new refresh token per each refresh request).
Scenario,
1) User authorized the client application to get Fit bit data.
2) Fit bit sent authorization code to the client application.
3) Client application got refresh token and Access token by using Authorization code.
4) After 3 days, The client application will not be able to use access token to fetch the user data as it's expired in hour.
But the client application can use 3-days old 'Refresh token' and get the Access token and also fetch the user data by using the refreshed Access token.
Am I right..?

10-09-2015 13:54
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post



10-09-2015 13:54
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post
That sounds correct. The refresh token does not expire after an hour, so you would be able to use the refresh token 3 days later to get a new access and refresh token.

10-09-2015 15:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

10-09-2015 15:40
- Mark as New
- Bookmark
- Subscribe
- Permalink
- Report this post

