+ Start a Discussion
Neil KimNeil Kim 

RestApi and Oauth2.0 Arthitecture

Hi all.
I'm totally newbie at using Oauth2.0. Please help me kindly.

Before now, I've used Site for making public api.
However, this time, I need to consider security. So, after several hours study, I'm trying to use Connected App/Oauth2.0.
Using connectedApp(CId, CSecret) and username/password, I can get Access Token.

The point that I cannot understand now is 'Valid time of Access Token'.
Is it permanent for the same connected App and consumer?
or it is changed everytime it is issued?

1. Everytime calling api, get Access Token using CId, CSecret, username, password.
2. Using static attr, store access token and then, calling api with access token.
    Add logic : if static sttr is empty, get access token again.

Is 1 or 2 right approach? or any other things I need to consider?

Deepali KulshresthaDeepali Kulshrestha
Hi Neil,

Sessions expire based on your organization's policy for sessions. As long as the app is in active use, the session won't expire. Once the session is logged out, the timeout has elapsed, or it is otherwise expired (e.g. an administrator expires all sessions for the Connected App).

There's no way to know how long it will be until your session expires. It's not exactly "trial and error," it is simply a normal process. Even if you were told that your session expired in two hours, it might not last two hours if an administrator revokes the session, the session remains in use, etc.

If you use refresh tokens, your code should first try the regular API call, and if you get a 4xx result, try using the refresh token to get a new session token, and if that fails, then you've been kicked out, and the user needs to re-authenticate to continue. If you don't use refresh tokens, you can skip the middle step, obviously
Please refer link below for more information.


I hope you find the above solution helpful. If it does, please mark as Best Answer to help others too.
Deepali Kulshrestha