OAuth for server side apps

Question

I need to interact with an API that only supports OAuth2.

The problem is, I would like to write a purely server side application which should sit there without a GUI polling an API every day.

The API gives me the ability to get the application token programatically, but it looks like I need to implement the entire GUI flow to get the subsequent access token. This is because I need to log in via the application providers web based login screen.

It looks like I then need to get that access token, and copy this out as my server side credential where I recreate it. If that ever expires or goes bad, I'll need to go back via the GUI flow to get my server side access token.

Is my understanding correct here as this feels very clunky?

Specifically:

Can I avoid implementing the process where we link over to the application providers login form?

Is it right that after doing this, I have to unpick an access token and store this within my server side application. I don't appear to have any control over whether that will expire?

I can see that e.g. Facebook specifically support server side and client side flow. I wonder if I'm coming up against limitations in this particular implementation of OAuth 2?

Answer 1

I don't know how you actually want the app to behave, but one thing is certain - you do have to input the user credentials once.

Once you authenticate and authorize (there are a lot of open questions on SO, about automatic authentication), your app will get not only an access token, but also a Refresh Token. A refresh token is just what you need in your use case. You can store it your the server side - A refresh token does not have an expiration time. It lives till the user explicitly revokes permissions.

For any OAuth service provider there is a token exchange endpoint where you can exchange the refresh token for a (refresh token + access token) pair. So, at the backend (your server) you can at any time hit this endpoint - get a short-lived access token and perform the operation that you need to. This saves you all the effort of following the GUI flow every time.

See this link - https://developers.google.com/accounts/docs/OAuth2WebServer#offline

EDIT - Made some changes after reading your comment. You simply need to know how to use refresh tokens in your app.

Answer 2

I've found that the typical solution to the problem I asked in this question is to use XAuth.

Many providers such as Twitter and the application I am currently working against support XAuth to provide a simplified flow without the user interface based authentication.

What is the difference among BasicAuth,OAuth and XAuth?