OAuth API Refresh token?


#1

Pardon me if this I’m asking the wrong questions, but with API access tokens only lasting 24 hours, how am I supposed to refresh the tokens once the expire?

Here’s a little bit of reference. I’m building a Discord Bot using Python and storing access_tokens in a MySQL database. Users will be able to utilize a command that will generate a user-specific URL to connect to the blizzard servers and return an access_token that is then tied to their Discord User ID. This access token is used to query information about the user’s WoW characters and gather some information that can then be used in the Discord bot to notify the Discord when the user does certain things in the game, that are accessible via the WoW API endpoints.

However this token is only good for 24 hours and will eventually expire which leads me to wonder, how can I refresh the token without prompting each user to log in every single day???

Typically OAuth token responses have the following:

{
access_token:
expiry:

refresh_token:
}

This refresh token is send to the same oauth/token URL with the URL parameter of ?grant_type=refresh_token, but the Blizzard OAuth API says this is an invalid grant type.

What can I do to avoid prompting users to log in every 24 hours to refresh their own access tokens?


#2

Unfortunately refresh tokens are not available, you can’t properly refresh the token without user interaction.

As the battle net sets a SSO cookie the user won’t have to type in the password every time, the SSO lasts for 30 days.
You could probably use an iframe to obtain the token without user interaction by navigating to the OAuth2 login page, but it is a bad practice and very tricky to determine if the SSO was still valid or not from the parent document.