Recommended Best Practices for Using OAuth 2.0 with the AT&T Advertising API
By William Yeckel, AT&T Developer Support Engineer
OAuth 2.0 is a nice, open protocol that allows secure authorization in a simple and standard method for web, mobile, and desktop applications. But when it comes to integrating this technology into the AT&T API platform there are some best practices that you should use. The most important is to reuse your existing Oauth token. AT&T OAuth tokens do not expire for a long time (The setting is currently 5 years, but it is planned to be shortened), so there’s no need to repeat the network intensive process of requesting, authorizing, and receiving a new OAuth token for each individual request to the AT&T APIs.
First let’s look at a typical AT&T OAuth token response. It will look something like this:
The response part:
1. “access-token” = the current access token
2. “token_type” = description of token
3. “expires_in” = token life length in seconds
4. “refresh_token” = the current refresh token. Note that “refresh_token” is set to expire in 1 year.
The 3 important pieces of this response are the access_token, expires_in, and refesh_token. The recommended best practice is to call the AT&T OAuth API once, and then store the “access_token”/”expires_in”/”refresh_token” combination in your application code. When your app needs to make the next call to the AT&T API platform the original token can then be used. This reuse of the access_token requires much less network overhead and should speed up your app’s performance. When it comes to maintenance of your applications, here’s the best practice OAuth token we recommend.
OAuth Access Token Maintenance
Since the AT&T OAuth token expiration setting is planned to change at some point in the future, we recommend that developers code their applications to work with the “refresh_token” expiration of 1 year. This is a setting that will not change. We recommend an application be written to first get and store the initial “access-token,” “expires_in,” and “refresh_token.” Then reuse the original token for all following calls to the AT&T APIs. Additionally, a timer should be set to request a new “access_token” and “refresh_token” at some point before the 1 year expiration of the “refresh_token” – say, 1 month prior to the expiration date.
For detail information on using Oauth 2.0 with the AT&T API platform please visit the OAuth documentation we have available online.
Thanks and happy token requesting!