OAuth and emails

[GordonF]

Hi,

I've finally got round to implementing OAuth for some of our customers whose email accounts will very soon require it.

I've looked at the OAuth example particularly the Google example (I'll need Microsoft too). I understand the login procedure to get a Token and then using that token in the email Authorization string. The element I'm not at all clear on is the use of the token without forcing a login, I get setting OAuthParms.pForce = false and using the stored token doesn't call the login screen, but given the token I receive from Google has a life of one day does this mean I need to request a login everyday or does the rRefreshToken in the parameters group somehow play a part in auto renewing the Token. I'm assuming I need to initialise the OAuth class before sending or receiving emails to ensure I have a valid token, do I only need do this when the token has passed it's expiry date/time or every time?

I don't seems to get a refreshtoken, the value stored in the ini file is always blank.

I've read the documentation but I'm still struggling to understand the basic concept for renewing the token without requiring a user login every time, any advice would be very much appreciated, please assume I know nothing about the process.

Kind Regards
Gordon

[Bruce]

Hi Gordon,

So, you'll call the OAuthLogin procedure as part of your setup to call the API.

OauthLogin may, or may not, display a login screen to the user.
a) if the token is still valid it just returns
b) if the token has timed out, it'll try to get a refresh token. If that succeeds it'll just return.
c) If the above 2 fail the user gets to log in again.

>> I'm assuming I need to initialise the OAuth class before sending or receiving emails to ensure I have a valid token, do I only need do this when the token has passed it's expiry date/time or every time?

The OAuthclass is inside OAuthLogin, so you don't really need to do anything with it. You just call OAuthLogin and it'll figure it out.

>> I don't seems to get a refreshtoken, the value stored in the ini file is always blank.

Whether you get a refresh token or not depends on the service. I would expect refreshtokens to be stored in the ini file if they are successfully retrieved.

Cheers
Bruce

[GordonF]

Hi Bruce,

Thanks for replying, I'm doing as you suggest however I never get a refresh token from Google even if I remove the application from the Google list of third party apps and then run it again and confirm it is a valid app.

I may be incorrect but looking online it seems Google needs a couple of parameters setting to get a refresh token, access_type="offline" and prompt="consent", could you please give me a hint as to how and where I would add these parameters. Without the refresh token the users would need to login every hour as that as the life of a Google token, not really practical for our users as automatic emails will go during the night.

Any help will be gratefully received.

Many thanks
Gordon

[GordonF]

Hi Bruce it's solved I looked at your source in NetOAuth.clw and NetAll.inc and found out how to set the parameters, I hadn't realised there are more parameters in the oAuthParametersGroup than are mentioned in the OAuth docs. Once again you had it covered I just needed to look properly.

Many thanks
Gordon

[Bruce]

noted - I've updated the doc for the next build.