Will have if/when its complete…
If you use authorization code or password as credentials a refresh token is issued.
But password “may” disappear from the oauth2 specification in future, currently it is “not recommended” and it is planned to be removed from the oath2 module that farmOS uses by its maintainers, there have been some discussions in dev meetings / the chatroom as to whether or not the farmOS team should create a plugin to add that feature back when they migrate to the newer version, I guess that will be up to @mstenta and co.
If the password authentication is removed then “client credentials” would become the recommended alternative, in most cases this will probably be fairly similar to password authentication except the client will have its own password instead of the user password. However this does not return a refresh token, it is considered unnecessary as the authentication can be achieved unattended unlike “authorization code” (or “password” when implemented correctly)
So… Long story short, its fine to authenticate each time, but to reduce unnecessary authentication requests when a token is issued, so also is an integer representing how long the token will live, you can create a flow to only re-authenticate if the token has expired with a simple timer.
Refresh tokens are used to avoid storing user passwords in an application so only authentication flows that require user passwords produce them, by right that way the application should only ask for passwords once then forget them and reauthenticate only with the refresh token.
Yea, I’ll go with a refresh node for now, it will stand out in the flow as to what it is.
Perhaps a minuet or 2 should be shaved off of the expiry time incase there are a few API requests in the one flow.
I can adjust the times on my self hosted instance, I don’t know exactly what you have access to in Farmier but I’d suspect not. Probably a good security argument for not making them longer and maybe performance for not being shorter. But once handled correctly it won’t matter.
Then the new Refresh Node checks the current time against that and refreshes only if needed. The refresh node requires no configuration, so you can use one Oauth2V2 node to create a web style login on the dashboard then use the refresh node at the start of flows.
The plan is for a subrequests node, I haven’t looked too closely yet but I got a few pointers from @Symbioquine and @paul121. It hasn’t been very high up on on my todo list purely because I don’t have a very large number of animals and therefore don’t generate very large batches of logs or assets via the API. Plus I use a lot of group actions anyway so often one log per group does the job.
I will get to it eventually, I guess @Symbioquine’s last post is worth a read, which I’ll have a good look at that after I recover from what’s been a long day hauling cattle to the home farm and trying to convince 700kg+ cows to stand relatively still on a 1.5M scales.