Implementing 3-legged flow asks me to be logged in first

[Mozart Archilla]

Hello everyone,

I'm working on an integration that would allow me to get private data from different users and their workspaces. 

Yesterday I logged in and worked on implementing the 3-legged flow as described on https://zenginehq.github.io/developers/rest-api/auth/ and it worked, I called https://auth.zenginehq.com/oauth2/v1/authorize passing the necessary payload and at the end I got the 24-hour access token.

However, this morning I tried to make the same call, and to my surprise it asked me to log in, as if I was trying to access the workspaces through the Zengine UI. Once I logged in, as the user who owns the client I'm using, the call worked.

Am I doing something wrong? Isn't the point of the protocol to be authenticated only by passing the client API key, without having to log on first? If I got it wrong, what could be a way to get private data from multiple workspaces?

Thank you for any insights you can provide.

[Wes]

Hello,

This type of auth flow lets the user grant your app access to their data by logging in to our auth server and returning an access token and refresh token to your app. The access token lasts for 1 hour and I believe the refresh token lasts for 24 hours. This means the user will need to grant access again after that 24 hours has passed, however they should redirect back to your app. This flow is ideal for user facing integrations with multiple, 3rd party users.

There are other approaches that are more server-to-server, or backend oriented, if the user is actually one of your users or is specific to your app.

[Mozart Archilla]

Hi Wes, thank you for the reply. The guide says "The access token you have now lasts for 24 hours" which is why I wrote that. In any case 1 hour would also work. The problem is that once the token is expired, and I need to call "authorize" again, it requires the user the client belongs to to be logged in again (doing the call through a browser redirects me to the login page).

What would be a backend oriented approach? Do you have any examples of this implementation?

[Wes]

Sorry for the delay, I missed your reply.

If your integration is using a Zengine account that you control and not a 3rd party user, then you may be able to use a server to server approach, where you obtain a permanent access token (doesn't expire) for your user.

If that sounds like it's applicable to your situation then you can request a permanent access token here: https://webportalapp.com/webform/developer-application-registration

Wes