0

Some days ago I asked how to retain Box tokens (Load, save and use of authentication data in Box Android API). Now, when user wants to access his Box account I use this code to configure BoxAndroidClient:

client = new BoxAndroidClient(C, S);
client.authenticate(loadAuth()); //loadAuth() returns BoxAndroidOAuthData object

For short period of time after obtaining authentication data it works good. But after an hour or so I get an AuthFatalFailureException:

07-06 17:21:01.841: W/System.err(3647): com.box.boxjavalibv2.exceptions.AuthFatalFailureException
07-06 17:21:01.841: W/System.err(3647):     at com.box.boxjavalibv2.authorization.OAuthDataController.doRefresh(OAuthDataController.java:275)
07-06 17:21:01.841: W/System.err(3647):     at com.box.boxjavalibv2.authorization.OAuthDataController.refresh(OAuthDataController.java:191)
07-06 17:21:01.841: W/System.err(3647):     at org.redscorpio.cloudtest.network.Box$2$1.run(Box.java:71)

Line 71 is

client.getOAuthDataController().refresh();

but it happens every time I need to access Box:

client.getFoldersManager().getFolderItems(current.getId(), LIST_REQUEST()).getEntries();
client.getFoldersManager().getFolder("0", DEFAULT_REQUEST);

I suspect that my token is invalidated at some point, but I don't know why it can't be renewed and why it happens after such a short period of time.
What I can do to prevent this?

Community
  • 1
  • 1
Chris Miemiec
  • 755
  • 1
  • 9
  • 19

2 Answers2

1

When a user logs in and accepts your app's grant, you exchange the authorization_code for an access_token and a refresh_token (response shown below). The reason your token invalidates is that the access_token expires in one hour. You can exchange the refresh_token, which is valid for 14 days, for another one-hour access token. This is why you'll want the app to store both the access_token and the refresh_token, ensuring that a user will only need to re-authenticate if they return to the app after more than 14 days.

Using the refresh_token for another access_token will always return one more of each (refresh + access).

{ "access_token": "T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl", "expires_in": 3600, "token_type": "bearer", "refresh_token": "J7rxTiWOHMoSC1isKZKBZWizoRXjkQzig5C6jFgCVJ9bUnsUfGMinKBDLZWP9BgR" }

paapfly
  • 241
  • 1
  • 7
  • I was told that API takes care of reauthentication/refreshing automatically. What should I do now? – Chris Miemiec Jul 07 '13 at 07:08
  • I still don't know what to do with this Exception. And one more thing: How can I listen for events such as automatic token refresh or authentication? – Chris Miemiec Jul 07 '13 at 21:51
1

I am not exactly sure what's going on. The sdk does auto refresh the token. However every time the token is refreshed, you actually will get a new refresh token and new access token, the old refresh token will not be valid any more. So basically the easiest way probably is update your stored OAuth token object every time your api call succeeds.

In the meantime, can you double check(maybe add some loggings) whether the stored refresh token and access token are the latest ones? You can logcat out the access token in the code of token refresh: com.box.boxjavalibv2.authorization.OAuthDataController class, doRefresh() method. and in the place where api call is made: com.box.boxjavalibv2.authorization.OAuthAuthorization class, getAuthString() method.

Jian Lin
  • 331
  • 1
  • 5
  • Thanks for suggestion, I might have forgotten about saving tokens on every refresh (maybe I forgot about some events). I'll try it tomorrow (probably modify sdk code by adding listeners) and report if it works. – Chris Miemiec Jul 08 '13 at 21:02
  • Yep. It was exactly the problem with saving refreshrd tokens (my fault). Thank you for your help! – Chris Miemiec Jul 11 '13 at 22:59