Solved: Service app authentication

HenrikH · ‎11-24-2023

I'm trying to write an integration that doesn't have any user interaction, i.e., machine-to-machine API calls.

For this I created a service app, since the description seems to match my needs - it says that unlike a normal integration it doesn't depend on a grant from an individual user.

However, after creating the service app, I'm given a set of client_id + client_secret, which I assumed I was going to use in a standard OAuth2.0 client_credentials flow - but this does not seem supported (or at least not documented)? Instead all I can find is how I should exchange my PAT to a refresh token using my PAT+client credentials, and then make sure to renew the refresh token every 90 days. Is that correct? If so, it's still dependent on the user from which the grant came from, and if for some reason the service app does NOT run for 90 days, it will break and require a new grant to be produced.

What am I missing? Most machine-to-machine integrations normally use the client_credentials flow. Why isn't that supported (or is it?)?

dtibbe · ‎11-24-2023

https://developer.webex.com/docs/service-apps describes the authorization flow from a developer's perspective as well as from an admin one. After your app was authorized by an org admin, you'll get the access and refresh token as you'd do for an integration and you may renew them the same way. That token shown in the authorization process is not the one that is personal to the admin itself as it would be in an integration's case.

View solution in original post

HenrikH · ‎12-01-2023

@dtibbe So I understood from your previous response how to get started. But one thing is still confusing to me. The refresh token obtained via the admin authorization is provisioned to my app, but it has a 90 day expiration. Is there no way to programmatically obtain a new refresh token when it approaches expiration? Do I basically have to manually request and have a new refresh token authorized by an admin via the webex every 90-ish days and re-provision my server app with it?

dtibbe · ‎11-24-2023

https://developer.webex.com/docs/service-apps describes the authorization flow from a developer's perspective as well as from an admin one. After your app was authorized by an org admin, you'll get the access and refresh token as you'd do for an integration and you may renew them the same way. That token shown in the authorization process is not the one that is personal to the admin itself as it would be in an integration's case.

HenrikH · ‎11-24-2023

Thanks! Got it to work. I must say that this wasn't at all very clear. Yes, it was there on the service-apps docs page, but hidden in the details.

The fact that am I myself an admin but couldn't create the token directly, but instead had to go to the start page, find apps, find the pending auth request, authorize the request I made myself (!), then go back to my service app details only to THEN find the org authorizations section (which was completely hidden before) was not intuitive at all. Maybe the common flow is that the developer and the admin are two different persons, but in my case this separation of duties was just confusing.

Also the fact that I didn't get notified via e-mail about the pending auth request was surprising.

Anyway, got it working, much appreciated!