How to work with Refresh Token and Access Token?
Authentication Flow
After you have logged in, Quark Publishing Platform NextGen generates a pair of tokens as credentials, which are Access token and Refresh token.
This is applicable only for authentication via a form-based username/password and SAML based SSO.
Acquire Refresh Token
After authentication, Quark Publishing Platform NextGen sets Refresh token as a HTTP cookie named ce-auth. Quark Publishing Platform NextGen validates ce-auth everytime you request to get or renew an Access token.
Quark Publishing Platform NextGen sets ce-auth as a session cookie or a long lived presistent cookie based on whether or not you have selected the option Remember Me on the login page.
Acquire Access Token
After authentication, you can get an Access token by invoking the following API:
GET/auth/accessToken
In response, Quark Publishing Platform returns the following data:
- A JSON formatted object containing
a. token: A JWT based access token.
b. duration: Duration for which the token is valid.
c. rememberMe : A flag to identify if the user had requested the option of ‘Remember Me” in authentication flow.
- The Access token, which is the value of the cookie named pwt.
Quark Publishing Platform NextGen validates pwt everytime you access a protected resource. Based on the resource, you must provide an Access token as a HTTP cookie or header along with request to access a resource.
Renew Access Token
An Access token or cookie expires soon (typically within 60 minutes). To continue working in Quark Publishing Platform NextGen without having to login again, you must renew the Access token using the same API that you use to get the Access token.
Default Expiry Configuration
- Refresh token: As long as the browser remains open (maximum 24 hours)
- Refresh token (with Remember me checked): 7 days
- Access token: 1 hour
If you have to access Quark Publishing Platform NextGen frequently, you must do either of the following:
• Periodically renew the access token
• Acquire an Access token before every batch of requests to API
You can acquire an Access token without authentication as long as the Refresh token is valid. When the Refresh token has expired, you get the error HTTP 401. In this case, Quark Publishing Platform NextGen displays the login page and you have to do the authentication again.
Get the Refresh Token as Text
You can use the following URL to get the Refresh token as text.
/auth/token
Quark Publishing Platform NextGen displays the Refresh token as text after the authentication, which contains the credentials of the authenticated user.
You can use the Refresh token to acquire an Access token.
Sample Access Token
The following information is available in an Access token:
{
"uuid": string;
"id": string;
"type": “access” | “refresh”;
"userName": string;
"licenseType": “author” | “access” | null;
"tenant": string;
"version"= “2.0”;
"refreshTokenId?": string;
}