Securing Your Client Application's Credentials
The client credentials grant type assumes your application has a secure place outside of the user agent (e.g., the browser or a mobile application) to store the client credentials (client id and secret) and access token. Typically, this means your application must run at least partly within a secure server where the credentials can be maintained in a secret store and used server-side only. The application's client credentials must not be exposed to your end users.
Some Recommendations:
- Spring/Java Rest Template
- Okta's OAuth2RestTemplate
- Intended for Azure, but the MSFT authentication library could be used for C# apps
- Example using some common python libraries, thought it doesn't do automatic caching it does have hooks for doing automatic refresh: OAuth 2 Workflow — Requests-OAuthlib 1.3.1 documentation
Access Token Expiration
- Access tokens expire in approximately 12 hours. You should cache your access token securely within your client application or system and reuse it until it expires, at which point project44 will respond with HTTP status code 401 Unauthorized, signaling your application must generate a new access token using its client credentials.
- It is recommended not to keep track of the expiration time in your client application and instead simply make requests until a 401 Unauthorized is returned. The amount of time until a token expires is subject to change by project44 in the future.
Access Token Generation Rate Limiting
- project44 maintains rate limiting on the OAuth 2.0 token generation endpoint API (/api/v4/oauth2/token). No more than 5 tokens may be generated within a minute, with some lenience for small bursts over that amount.
- Frequent token generation is unnecessary and highly discouraged. Please reuse tokens as much as possible for improved security and performance.
Generating Multiple Access Tokens
- Generating a new access token does not invalidate any former access tokens for the same application. Thus, an application may have multiple valid access tokens at a time, but again, this is to be fully avoided if possible, for improved security and performance.
Delete a Client Application
- To delete a client application, you must use the DELETE client application endpoint: link
- You cannot suspend the client application user from the User Management UI
Generate a new Client secret
If you have lost your client secret and therefore cannot generate a new token or you would like to rotate your secret, follow the below:
- Use this endpoint
- Must use username and password to authenticate
- Note: generating a token will not work if you generated a new secret and did not update the secret for the token request
FAQs
- Currently, only up to 20 client applications may be registered at a time within your project44 account.
- Tokens last for 12 hours. Please store them!
- You can generate 5 tokens per 1 minute, with occasional bursts allowed.