Search code examples
lyncucwa

UCWA refresh Oauth token with grant_type=password

I'm trying to refresh an OAuth token using Lync UCWA, following the examples here, https://msdn.microsoft.com/en-us/library/office/dn356686.aspx#sectionSection3

The example in their docs uses grant_type urn:microsoft.rtc:anonmeeting, but I am using a grant_type=password. My client is successfully authenticating against the /WebTicket/oauthtoken endpoint at first and I receive the access_token just fine.

After a few hours, I need to refresh the OAuth token by posting to /WebTicket/oauthtoken again with the parameters of: 

grant_type=password
username=$my_username
password=$my_password
ms_rtc_renew=$access_token (cwt=AA....)

That is returning a status 400 though, with an error: invalid_request and a comment in the headers "No valid security token". The value I'm putting into ms_rtc_renew is the same value I'm using in all of my headers to other endpoints, 'Authorization' : ['Bearer $access_token'], so the token is working alright.

I have made sure that I'm using a header of Content-Type: application/x-www-form-urlencoded when posting to the /WebTicket/oauthtoken endpoint, and that I'm urlencoding the data before posting.

Has anyone else been able to refresh an OAuth token using Lync UCWA 1.0 and a grant_type=password? Any experienced UCWA devs out there recognize what I'm missing in my post to refresh the token?

Thanks in advance.

Solution

  • ms_rtc_renew is specific to the anonymous meeting grant type. In that same documentation it mentions:

    Refreshing a token for authenticated users is the same flow as acquiring a new token.

    This is the correct train of thought, but it does omit a few key pieces of information. If you are interested in keeping the original UCWA application valid, it is necessary to provide the same information when executing the POST request on applications otherwise it will be creating a new application.

    Expanded Answer

    When you reach a point that the UCWA application is returning 404 to requests and indicating that the current OAuth token is invalid it is necessary to renew. Following the steps of KeyTasks-CreateApplication, request a new token on step #5. At this point take the new token and replace the Authorization header and attempt to make the failed request.

    If that does not work, consider re-creating the application (step #9) using the same data (UserAgent, EndpointId, Culture). You would need to replace any saved Json data because the application Url might change between instances (not entirely certain).