Silently refresh the RPT token¶
If you want to avoid having to respond to HTTP 401 errors to refresh the RPT token (see reauth on 401), you can opt to silently refresh the RPT token before it expires.
In this step by step guide we are assuming a service that acts on its own behalf.
Steps to follow¶
Beginning at the start, you want your service to start its initial authenticaton/authorization with Obelisk. This is a 2-phase protocol that requires an Auth Token to get the eventual RPT token that is required to talk to the Obelisk APIs.
Get Auth Token¶
Get RPT Token¶
To get the RPT token, you simply follow step 2 of the Auth details section. The access_token mentioned there, is the Auth Token acquired in our previous step. Now store the received RPT token and its refresh_token plus the expires_in time (which is in seconds). You will need it later. At the same time of receiving the RPT token, you have to schedule a refresh in the future. (see next step)
Schedule RPT refresh¶
Using the expires_in time of the RPT token minus some leeway (say 10 seconds), you can now schedule a refresh of the RPT token. This way the RPT token will be refreshed, before any 401 error occurs because it expired.
Do API request¶
Refresh RPT token¶
When the scheduled RPT refresh activates, refresh the RPT token. If the refresh_token is not expired yet (it shouldn't be if your service was not idle), you can simply refresh the RPT token, by following the procedure explained in step 4 of the Auth details section. Don't forget to save your new tokens and schedule a new RPT refresh (with the new tokens!). You should be able to call the Obelisk APIs again with the new tokens.
If you encounter a 401 Unauthorized, this will likely be because your service/application was idle for longer than the RPT token validity time. If this happens, the most pragmatic way to cope with it, is by redoing the auth procedure from the start.
You could also opt to first check if the RPT refresh token is expired already. If it is not, you might be able to do a RPT refresh anyway. If it is already expired, redo the auth procedure from the start as mentioned.