Using StandardAuth for backend automations without user interaction

[keenfann]

We have various integrations that interact with Fortnox where we automatically get/create/update invoices, customers, contracts and other entities. These integrations are executed in our integrations solution without user interaction.

We are currently using StaticTokenAuth but since this is deprecated, and the StandardAuth flow requires a user to interactively sign in, what are the guidelines for our scenario? I cannot find a /login endpoint or similar where our application can get a token that we can use in subsequent requests.

[richardrandak]

Hello! As far as I know, the only way to have automated integrations is to handle token refresh periodically. The initial setup must be done interactively.
So, one time setup with user and then automated connection by using refresh token to keep it alive.

[keenfann]

Thanks for the response!

The method you're suggesting feels kinda unusual, would it be possible for you post an example in the readme or a sample project for this flow?

[sblomstrand]

This does not feel like a viable solution in server-to-server scenarios.
Is there not a client credentials flow to retrieve auth-tokens using clientId and clientSecret?

[xpagedeveloper]

The new Auth flow is that you always need start with a user interaction and authorization.
After that you have an auth token and a refresh token. The refresh token is used to get a new auth token and a new refreshtoken.
You need to do this refresh at least with a 30 day interval, I use 20 days in our applications.
You will need to have some kind of single thread update function so you don't loose or mixup the refreshtoken because if you do. You will need to restart the initial auth flow with a user involved.

[sblomstrand]

That would work if there is only one application accessing the token. In a distributed environment where several applications access the same token and simultaneously need to refresh that token we would need to implement a distributed lock on the refresh in order to not have a race condition. Or am i mistaken?

[mohsin-patel]

What will happen if refresh token expired some how due to system refresh routine failure. The end-user will see login prompt and end user enter their credentials and whole system start with new token generated by end user credentials :)

I think Authorization code flow is good for client centric integrations. you people should enable other types of integrations flow so, other people can use just use one account for generating invoices