Is it possible to refresh a Frontdoor API token or is there a need to login again every time a token expires?

When logging in through the API, the return headers suggest that it's possible to renew a token, but I haven't seen an endpoint for token refresh.

The relevant headers are below:

renew_after → 1546529845689
renew_till → 1546573015689
valid_till → 1546533415689

Hi Joseph,

I have looked through all of the documentation I have access to internally with Apptio and have not found any answer to this question you have raised. I have already started chasing this for you to see if I can get a definitive answer however so far have not received a response. I will as a next step raise a support ticket and endeavour to follow this through and update for you here this week.

As an FYI - in my API testing I have had to regenerate a brand new token when an existing one expires. The one thing that may need consideration here, is your account SSO authenticated or are you using username/password to sign into Apptio?

Regards,

Mark

Mark,

Thank you. We are using SSO, but I generated an API key to authenticate with the API. Just wanted to know if there was a way to refresh the apptio-opentoken after it expires.

Hi Joseph,

for your reference, as per my testing and also from raising a support ticket when I was having API issues, I have found out that SSO authenticated roles are not actually able to access pretty much most of the API endpoints in an environment. I was able to generate a token and also get the environment details via API calls. However this seems to be the limit of the API functionality, because whenever I was trying download a table from an endpoint or access another part of an environment I was receiving a "401 - user unauthorized" style of error. See this article for more information:

Frontdoor API: Overview of API keys and FAQ 

The workaround here and recommendation I have been given is that you will need to create a user account that does not authenticate using SSO and has the permissions required within the environment (eg. api-user@yourcompanydomain.com). My testing has confirmed this does work and I was able to make calls against the API endpoints with this user account.

In relation to your original question, I am still waiting for a response from support around the refresh functionality of API tokens. I hope to have an answer for you in the next few days.

Thanks Mark

Mark,

Thanks. With regard to the SSO based API key, it's been fully functional downloading report content. The only issue I've had was limiting the roles associated with it, so I think your suggestion about using a separate user would be helpful for that.

Hi Joseph,

my apologies for the delay in getting this response to you. I have just received an update from Apptio support now on this question you have raised.

The Apptio API does not currently support a "refresh token" call, however there have been some works commenced on the functionality. At this stage I do not have an ETA or release version this is scheduled to be delivered in.

You will need to use the current functionality to generate a token using the public/secret key pair. From my testing a secret key does not seem to expire.

If there are any other questions then please let me know and thank you again for your patience.

Mark

Joseph, 

You can renew your token, the endpoint for token renewal is /service/renewtoken.  Tokens can be renewed up until the renew_till time, after which you'll need to login again.

-Casey

Casey,

Thank you. I just tried that, but it's unclear what type of data that endpoint expects.
I tried passing it the apptio-opentoken while the token was still valid and it seemed to work, but it provided the same token in response. I then tried submitting the same apptio-opentoken as a header shortly after the token expired, but before the renew_till time, and I got the following response:

{
    "error": "You are not authorized to make this call. Please make sure you set the proper authentication headers. If you're using an auth-token already, make sure it hasn't expired. ",
    "translationKey": "FD_NOT_AUTHENTICATED_ERROR",
    "substitutions": []
}

The open-token should just be supplied as a header value, it needs to be renewed before it expires.  The token returned will be the same but the times will be updated.  The values renew_after and valid_till times will be updated, you can see this if you check the headers in a browser and just hit the /service/renewtoken endpoint.

Thanks, so if I'm understanding correctly you can refresh a token any time before the valid_till time and once the renew_till time passes, a full login has to be done?

Thats correct.

Hi Joseph,

I use the frontdoor API extensively for datalink. I just refresh the token on every call.

Here is the python code I use to do it:

##### Declarations go here
FRONTDOOR_URL = 'https://frontdoor.apptio.com/service/apikeylogin'
APIPUBLICKEY = 'THIS_IS_YOUR_PUBLIC_KEY'
APISECRETKEY = 'THIS_IS_YOUR_SECRET_KEY'

##### Function definitions
def get_auth_token(public_key, secret_key):
    """Gets an authentication token from Front Door using the Key authentication"""
    data = {"keyAccess": public_key, "keySecret": secret_key}
    resp = requests.post(FRONTDOOR_URL, headers={"Content-Type": "application/json"}, json=data)

    if resp.status_code == 200:
        return resp.headers['apptio-opentoken']
    else:
        raise ValueError("could not authenticate, got response: " + str(resp.status_code) + ": " + resp.json()["error"])

##### Code starts here

auth_token = get_auth_token(APIPUBLICKEY, APISECRETKEY)

##### Then I can use the auth_token for subsequent requests

Thanks, I use similar code to get a new token when it expires, but I was mainly interested in finding out if I could rely on something similar to a refresh token most of the time instead of the API keys.

Hello Joseph Berkovitz! - If I understand you correctly - you want a refresh token that you store and that automatically refreshes the auth token when it expires. I remember that BOX API had the same approach.

Is there a security concern or reason that you prefer to not just use the API Key and generate an auth_token for each access? 

Regards,

Sanjay Valiyaveettil

Sanjay,

I think there would be a slight security benefit, but it's not a major issue the way it's currently setup. The primary reason for asking about it was that I saw the renew_till response and was expecting that there would be some functionality to refresh the auth token.