0

I'm developing app that is going to be run on a headless server. To launch it I need to possess access and refresh tokens that is done by following request https://developers.upwork.com/?lang=python#authentication_access-token-request. I'm using python, so my request looks like:

import upwork

config = upwork.Config(
        {
            "client_id": <my_client_id>,
            "client_secret": <my_client_secret>,
            "redirect_uri": <my_redirect_uri>
        }
    )

client = upwork.Client(config)

try:
    config.token
except AttributeError:
    authorization_url, state = client.get_authorization_url()
    # cover "state" flow if needed
    authz_code = input(
        "Please enter the full callback URL you get "
        "following this link:\n{0}\n\n> ".format(authorization_url)
    )

    print("Retrieving access and refresh tokens.... ")
    token = client.get_access_token(authz_code)

As a result token object looks like:

{
    "access_token": <access_token>,
    "refresh_token": <refresh_token>,
    "token_type": "Bearer",
    "expires_in": 86400
}

Given access_token and refresh_token I put them to my program and it is successfully launched. To keep continuous access to Upwork API I need to have valid access_token which expires every 24 hours, so I renew it with refresh_token. But the problem is than last one's lifespan is 2 weeks and when it's gone I can't use it to refresh access token, so need to get new one. In the documentation I haven't found how to do so and it seems that the only way is to go through the whole process of obtaining tokens pair again as described above, but that's not an option for me because as I said I want to deploy an application on a headless server without ability to redirect user. I need the way to get tokens pair every 2 weeks without manual intervention

Expecting:

Find a way to refresh refresh_token without redirecting user and manual intervention at all

sviddo
  • 17
  • 2

2 Answers2

0

you can set a timer, that is going to call refresh-token a moment before it expires. This is one way to do it. But maybe someone will come up with a better idea. I've seen people doing this with access token, which wasn't a good practice in that case. But you have a different situation.

  • How can I use access token to get new refresh one? I need to somehow get new refresh token after 2 weeks as it expires, having it I can get access token. Timer is not appropriate to this at all. I need to have a request permitting me to get new refresh token having current values such as client id, client secret, current access and refresh tokens – sviddo Jan 27 '23 at 19:05
  • Okay, I see, sorry misunderstood your problem a bit. I looked into the documentation under the "Refresh Access Token Request" and it says: "If you authenticated previously and have a working refresh token, this call returns the refreshed tokens and the TTL of the access token." So the request should return you a token pair with a new access and a new refresh token. That is the way OAuth works. If you don't send any requests for 2 weeks than you have to re-authenticate. – Mark Durkot Jan 28 '23 at 00:31
  • Is the problem that you don't send requests for 2 weeks? – Mark Durkot Jan 28 '23 at 00:36
  • Problem is that I can request new access token with valid refresh token, but there is no way except of manual one to obtain new tokens pair. There isn't request to refresh refresh token after 2 weeks (that's a time of its lifespan), so I need to go through whole process again involving user redirect – sviddo Jan 28 '23 at 20:19
  • Yes, but requesting new access token should return you a token pair with both: new access and new refresh token. Can you show me the response of the "refresh access token request"? The OAuth works that way: whenever you are requesting a new access token it also sends you a new refresh token. – Mark Durkot Jan 29 '23 at 19:13
0

@sviddo, if there is no activity for 2 weeks, the authentication is required, involving the user manual login. It's a security requirement.

The other thing is that a refresh token is valid for 14 days, and its TTL automatically extended when refresh is performed. If it's not the case, please, contact Support Team at Upwork

mnovozhylov
  • 311
  • 1
  • 3