Unirest + OAuth2

[brasta78]

Hi,

I'm very happy using Unirest in my project, please point me to the right direction - my application has many Rest API clients which communicate with endpoint using OAuth2. I'm not sure how to deal with response error: "accesstoken expired" and how to use refreshtoken... It should be done using Interceptor or OAuth2 part is in general not Unirest side and I must use some OAuth library?

Thank You

[ryber]

Hi @brasta78 you are correct in that OAuth2 is not a core part of Unirest. One of the challenges is that there are browser/user parts of most flows that Unirest simply cannot do, and so require larger frameworks. What one would depend on your application framework. (Spring etc).

However once you have an access token and a refresh token you could create a class that could deals with the expirations and refreshes to an extent. Keep in mind that a refresh token is basically a username/password, and so should be encrypted at rest and maybe not just hanging around in ram all the time even.

In any case I would recommend your class keep track of the expiration itself and not wait for a 403 from the remote server. As far as Unirest is concerned this could be loaded as a lambda for the headers like this:

    Unirest.config().setDefaultHeader("Authorization", () -> myTokenManagingClass.getToken())

You could use Unirest itself to get the refreshed access token of course inside that same class. It would probably need a different configured instance to avoid a circular dependency with the outer ones default header (if you used that).

There are a few supporting flows like this and client-credentials I've thought about adding to Unirest. I'll keep this issue open for those.

[brasta78]

I have implemented OAuth flow in my web application (plain jEE8) and of course I have access token and refresh token for every user and every API that user is connected and I'm able to call these API methods using Unirest. While access token expire time usually is 1h I'm searching beautiful way refresh access token in "background". @ryber what is your thought with myTokenManagingClass - refresh accesstoken before every API call or check expire time if is "valid" ?

[ryber]

hey sorry for the late response on this but I figured better late than never.

What you are doing is pretty common, especially with refresh tokens. just remember that the tokens are basically passwords, and so should be handled securely and encrypted at rest and in transit.