How to work with Refresh Token and Access Token?

Authentication Flow

After you have logged in, Quark Publishing Platform NextGen generates a pair of tokens as credentials, which are Access token and Refresh token.

This is applicable only for authentication via a form-based username/password and SAML based SSO.

Acquire Refresh Token

After authentication, Quark Publishing Platform NextGen sets Refresh token as a HTTP cookie named ce-auth. Quark Publishing Platform NextGen validates ce-auth everytime you request to get or renew an Access token.

Quark Publishing Platform NextGen sets ce-auth as a session cookie or a long lived presistent cookie based on whether or not you have selected the option Remember Me on the login page.

Acquire Access Token

After authentication, you can get an Access token by invoking the following API:

GET/auth/accessToken

In response, Quark Publishing Platform returns the following data:

1. A JSON formatted object containing

   a. token: A JWT based access token.
   b. duration: Duration for which the token is valid.
   c. rememberMe : A flag to identify if the user had requested the option of ‘Remember Me” in authentication flow.

2. The Access token, which is the value of the cookie named pwt.

Quark Publishing Platform NextGen validates pwt everytime you access a protected resource. Based on the resource, you must provide an Access token as a HTTP cookie or header along with request to access a resource.

Renew Access Token

An Access token or cookie expires soon (typically within 60 minutes). To continue working in Quark Publishing Platform NextGen without having to login again, you must renew the Access token using the same API that you use to get the Access token.

Default Expiry Configuration

• Refresh token: As long as the browser remains open (maximum 24 hours)
• Refresh token (with Remember me checked): 7 days
• Access token: 1 hour

If you have to access Quark Publishing Platform NextGen frequently, you must do either of the following:

• Periodically renew the access token
• Acquire an Access token before every batch of requests to API

You can acquire an Access token without authentication as long as the Refresh token is valid. When the Refresh token has expired, you get the error HTTP 401. In this case, Quark Publishing Platform NextGen displays the login page and you have to do the authentication again.

Get the Refresh Token as Text

You can use the following URL to get the Refresh token as text.

/auth/token

Quark Publishing Platform NextGen displays the Refresh token as text after the authentication, which contains the credentials of the authenticated user.

You can use the Refresh token to acquire an Access token.

Sample Access Token

The following information is available in an Access token:

{
// Unique ID to track tokens and their relations
    "uuid": string;
    // User ID as in Platform
    "id": string;
    // Type of token
    "type": “access” | “refresh”;
    // login name of user in Platform
    "userName": string;
    // CE license assigned to user.
    "licenseType": “author” | “access” | null;
    // The tenant ID
    "tenant": string;
    // version of token format. Value may be used to identify depcrecated or unsupported tokens.
    // 2.0 Version introduces access and refresh token pairs, uuid
    // 1.0 tokens are still valid as access tokens.
    "version"= “2.0”;
    // refresh UUId from which access token is generated
   "refreshTokenId?": string;
}