My Products
Help
Michel V
CONTRIBUTOR ***

Questions regarding web application authentication and authorization

by Michel V

Hello,

I have some questions regarding the new authentication and authorization flow.

  • What is the “refresh token per user used” for? In other words how do I even get multiple valid refresh tokens? 

If you use the ‘Re use’ option you get the same refresh-token after a refresh request in the response.
If you use the ‘On time’ option you get a new refresh-token after a ‘refresh’ request in the response, an the old one is invalidated.

Are access tokens not invalidated when you start the auth flow for the same client?

 

  • What does the “The refresh token expiration in days” option precisely do in which scenario?

Does the slider reset after each successful refresh request or is this based on which “Refresh Token usage” option you have selected?
What use case(s) can actually invalidate your access and refresh token outside the scope of the web application itself, changing password for example?

 

  • What can you do with the API if you have not set any other integration scopes. So the only scopes you have are “openid, email and profile”
  • Is there a way you can get Company information after authorization? The Id token only has user info but I am also interested in Company info. This was always possible through the ‘context’ endpoint but this one seems to be obsolete?

I thought maybe this was possible with the “Tenants” scope you are able to select at the ‘Identity Scopes’ option, but it seems that this scope does nothing, the phone and address scope actually adds information you’re id_token.

 

  • Do you have to integrate your web application with the visma store? In our tests you were mandatory to have to “API user” role to even start the web authentication flow if you do not have that role we were not able to select a company. Normal end users will never be able to do this easily there is always some help required to set this up, this kind a makes the Visma store other than marketing purposes a bit useless for web applications.

 

Thanks in advance!

 

Kind regards,
Michel

1 REPLY 1
Accepted solution
Michel V
CONTRIBUTOR ***

by Michel V

Answers given by the VNI support team:

Refresh token per user: a new refresh token is obtained by the application for a user when a new authorization request (/connect/authorize) and token request are successful. That will issue a new access token/refresh token pair that counts towards the Refresh token per user configuration. So if your app has a configuration of 20 (max value) it can have max 20 refresh tokens in Visma Connect. 

 

Refresh token usage: represents how a refresh token is handled after obtained. 

  • Re use - the same refresh token will be returned when calling /connect/token with refresh_token grant type. 
  • One time - a new refresh token will be returned each time when calling /connect/token with refresh_token grant type. 

Refresh token expiration: the expiration is set with two different values

  • Absolute expiration (option The refresh token expiration is set to) is set as a fixed value from the moment when the refresh token was issued (through /connect/authorize). 
    • If the "Re use" option is configured the max value can be configured as 180 days. That means the refresh token will expire after that period.
    • If the "One time" option is configured, the absolute expiration can be set to Unlimited which means that the refresh tokens will remain valid if used within the "sliding expiration".
  • Sliding expiration (option But will expire if not used in is set as a fixed value each time a refresh token is used (through /connect/tolen with grant type refresh_token).  

Access tokens are not expired: the access tokens are JWTs which have the expiration set as a claim. 

 

API access 

If your app only uses openid, email and profile the access token cannot be used for calling ERP API. When using the tenants scope together with the scopes of the API your app can obtain tenant information from the /connect/userinfo endpoint. The response will contain an array of tenants where the user has access to.