I'm working on a "service integration" platform which connect several different accounts.
The idea behind is to have a single Web App to perform automated operations on several connected Platforms. For instance:
Due Date expiration:
- Slack message on Channel X
- Message via email at Admin X
- Create new task on Asana
Actually everything is working fine but I'm relying on the user access token. I get the token with OAUTH and I use it to perform all the call between my servers and the other platforms.
I'm facing 2 problems:
- I dont' thinks is the correct way to do it. In my understanding there must be a way, after the user "authorization" to the App, to perform all the operation without the "user token" but using a sort of "server side" token (with client ID and secret maybe)
- The user token expires after a couple of hours / days, and he must login to every service
Which is the correct way to do this? For instance, suppose I have to provision a new GSUITE / Google Account.
Right now I simply use the User Token obtained by the OAUTH client-side authentication and perform the request. Everything works like a charm.
How can I do the same thing Server Side? In a theoretical way, the user grants my App the permission to provide new users so, how can I do it without the "client-invervention"?
After some reading and some experiments I find out this approach.
Depending on the service you are working with, there are mainly 2 categories of "OAuth Login":
Single Token: after the login, the external server gives you a lifetime valid token to access to his info. The token stop working if the User removes the permissions to the App
Renew Token: after the login, the external server gives you a "timed token" (usually one hour) and a refresh token (always valid). The refresh token, used with APPID and APPSECRET can be used to obtain a new Authorization token.
Actually, I tested with: