1. Authentication

Expiry of OAuth refresh tokens

Our authentication system no longer allows refresh tokens with an indefinite lifetime. They now expire after 90 days. Depending on the OAuth grant that you are using, there might be specific changes to your implementation that you must make.

If you use a resource owner password credentials grant

If your integration is created using the resource owner password credentials grant, no changes are required.

Example
 
var passwordGrant = new OAuthPasswordGrant
{
    ClientId = "<YOUR_CLIENT_ID>",
    ClientSecret = "<YOUR_CLIENT_SECRET>",
    UserName = "<YOUR_USERNAME>",
    Password = "<YOUR_PASSWORD>"
};

IWebMClient client = MClientFactory.CreateMClient(new Uri("<YOUR_URL>"), passwordGrant);

If you use a refresh token grant with C# Web SDK

If your integration is created using the refresh token grant, then changes might be required if the refresh token is never updated.

When a refresh token expires, your integration should automatically request a new one from the authentication server. If an expired refresh token is provided, Content Hub will return a HTTP 401 error, so you need to update your integration to securely store and manage refresh tokens, ensuring they are not exposed to unauthorized access.

Example

If you're currently using the following:

string refreshToken = await LoadRefreshTokenAsync();
var refreshGrant = new OAuthRefreshTokenGrant
{
    ClientId = "<YOUR_CLIENT_ID>",
    ClientSecret = "<YOUR_CLIENT_SECRET>",
    RefreshToken = refreshToken
};

IWebMClient client = MClientFactory.CreateMClient(new Uri("<YOUR_URL>"), refreshGrant);

Then use this instead:

string refreshToken = await LoadRefreshTokenAsync();
var refreshGrant = new OAuthRefreshTokenGrant
{
    ClientId = "<YOUR_CLIENT_ID>",
    ClientSecret = "<YOUR_CLIENT_SECRET>",
    RefreshToken = refreshToken
};

IWebMClient client = MClientFactory.CreateMClient(new Uri("<YOUR_URL>"), refreshGrant);
client.RefreshTokenReceived += async (sender, eventArgs) =>
{
    await StoreRefreshTokenAsync(eventArgs.RefreshToken);
};

If you use a refresh token grant without C# Web SDK

If your integration is created without using the C# Web SDK but it does use the refresh token grant, you must update the initial refresh token with the new refresh token returned in a successful token response.

If you have suggestions for improving this article, let us know!