Token being invalidated when config TokenTimeout is -1 (no expiration)ww

Options
Gabriel.Pacheco47
Gabriel.Pacheco47 Posts: 9 🌱
in Archived
Hi there, I have an API that does communicate with D2L API in the background to do some scheduled and user-requested actions. Therefore OAuth does not work for me as D2L does not support OAuth client credentials type, which would allow a nom-browser environment to request OAuth credentials. (https://community.brightspace.com/s/question/0D50A00000HKDPpSAP/is-oauth-client-credentials-grant-type-supported) With that said I had to generate API keys through https://apitesttool.desire2learnvalence.com/ and that worked fine for the last 6 months or so. Today the system was raising some issues and checking them closely I saw a "403 - Invalid token" error coming from D2L API requests. This, clearly indicates that my token has expired. However, on my understanding, I could generate tokens that do not expire if the variable 'Security.Api.TokenTimeout' on 'Config Variable Browser' was -1, which I checked on the UI and it's. Is my understanding correct? Does the expiration of this token generated at 'apitesttool' is controlled by the 'Security.Api.TokenTimeout' or any other?  Any help would be appreciated. Gabriel
· Share on FacebookShare on Twitter

Answers

  • Gabriel.Pacheco47
    Gabriel.Pacheco47 Posts: 9 🌱
    edited November 2022

    Ok, for future people that may encounter the same issue. My issue was the user I was using had it password reset.

     

    From D2L API Docs:

     

    The d2l.Security.Api.TokenTimeout config variable refers to the timeout period of the user id\key pair associated with the Valence authentication process. Put another way, these tokens are the x_b value and the basis for the x_d value that are sent as query parameters on every API call to identify the user. This timeout is often set at an interval of several days, or could be set to never timeout. In the latter case, the user id\key pair can only be invalidated by changing the user's password or explicitly revoking app access. Once the user id\key pair becomes invalid, the app will have to re-initiate the authentication process to receive a new user id\key pair to sign API calls.

    · Share on FacebookShare on Twitter

Categories