API request to re-authenticate with Infusionsoft application?

Hello,

I was working on connecting infusionsoft API from my app through OAuth. It was prompt to enter my infusionsoft account details. After login, I authorized my application to have access to the Infusionsoft account and able to retrieve the access token from Infusionsoft API.

However, one thing I noticed that the account will stay logged in all the time. I wonder is there an API call that I can use to logout from Infusionsoft Application after making the authorisation request?

I noticed that there is a link about this: https://developers.infusionsoft.com/docs/infusionsoft-login/reauthentication/ but it is not longer working. I am not too sure what is going on.

I would like to have more ideas or hints on how other developers approach this problem.

Cheers,
Lynn

Your login is separate from the api authorization itself. It’s active when you login to IS or when you auth a token etc. It really doesn’t apply to the auth process except that someone that has login access must be the one to authorize the api tokens.

Hi John,

Is there any way that I can either force reauthenticate when redirecting to https://signin.infusionsoft.com/app/oauth/authorize all the time?

Or I need to call this https://accounts.infusionsoft.com/j_spring_security_logout manually to logout the application after authorizing the user’s account to access their infusionsoft data in my app.

So are we talking about the ‘login’ or the access key? The access key is only valid for 24 hours unless a refresh is called for it. I never worried about it for that reason, however, if another access key using the same credentials is authed by code then the previous access key immediately becomes invalid. So discard the new key into thin air (don’t store it and clear memory) and the old one would be invalidated and the new one will be unknown to anyone.

No, I am asking about logout from infusionsoft account after the user authorised with the app.

What I was asking is this:

  1. Is there any REST API I can call to logout from the infusionsoft account after authorisation is completed?
  2. If yes, what is the REST API endpoint that calls the logout functionality?
  3. If no, how can I force the user to logout after authorisation is completed?
  4. OR, is there any way I can provide something like auth_type=reauthenticate in my sign in URL while authorising the infusionsoft account?

Still unclear. When the authorization completes, the page closes and returns to the caller. So by logout, are you referring to the validity of the tokens? Because there isn’t anything to logout of once the process completes.

Hi John,

No I am not referring to the validity of tokens. I am referring to this link: https://accounts.infusionsoft.com/j_spring_security_logout

I wonder is there a REST API call that I can call to logout a given user from application. Sounds like the answer is ‘no’ to me.

There is no rest call to terminate your session with CAS (our single sign in solution). Like @John_Borelli is saying the system are separate. Our SSO session is good for 3 days, unless you manually logout either through Account Central, Keap, or Infusionsoft by Keap. https://signin.infusionsoft.com/logout is the url that will initiate a logout of the SSO system. I would not use this in code though. It is not a publicly supported url (meaning we can change it at anytime).

Ok. Now that make sense. Thanks for the reply!

One last question, in terms of manually logout, are you saying we need manually logout by calling this link (see: https://accounts.infusionsoft.com/j_spring_security_logout)? Or you are expecting the user to manually logout the system by clicking the logout link in the Account Central?

The system we call Account Central (accounts.infusionsoft.com) actually has a 15 min timeout. However if they have a valid SSO cookie they can be relogged in automatically if they go back, but you will see a couple redirects in the browser to accomplish this. I as far as manually logging out the user has a few different places they can click a logout link, but I would refrain from calling https://accounts.infusionsoft.com/j_spring_security_logout or https://signin.infusionsoft.com/logout from some sort of http client, mainly because if your system is the one making the request it wouldn’t logout the user anyhow since you don’t have access to their session. Hope that makes sense.

1 Like

If that’s the case, is there any way we can force the user to re-authenticate during authorisation when clicking the sign in link?

Is there something like auth_type=reauthenticate as part of the URL parameters in https://signin.infusionsoft.com/app/oauth/authorize link?

It used to have a documentation (see link) talks about reauthentication (see link: https://developers.infusionsoft.com/docs/infusionsoft-login/reauthentication/) apparently this document has been removed.

There is not, what is the use case for this? Why would you being trying to control our authentication system? (more of a question of curiosity).

Okay, well we have a scenario to handle over here. Probably you can provide some advice on how to handle this situation.

We have two users, user A and B, and they both have their own infusionsoft account.

Let say user A signed in an app and authorise an app to access their infusionsoft account data, user A logout an app, and then user B login an app, and wants to authorise the app to access infusionsoft account data. Since user A has signed in infusionsoft previously (session still valid), it will not prompt user to login to infusionsoft and show authorisation consent screen of user account A.

However, user account A and user account B has no relationship between each other in infusionsoft and they both want to authorise the app to access their infusionsoft data.

That should only happen if User A and User B are on the same machine in the same browser. User A and User B have completely different session cookies on our side.

Yes. User A and B are on the same machine and same browser, however user B navigate to the authorise url from the app it will still remember user A has logged in previously, thus user B does not need to login and show consent screen of user A account.

This is something we would like to avoid happening. Hope that makes sense!

Seems really bad to have two different Keap accounts being accessed on the same machine by different users, but now it makes sense why you want to force a logout.

Yes!!!

That’s the problem I have encountered.
Do you have any advice on how to handle this kind of situation?

Besides not sharing a machine, there is a not a reliable way to even hack it together. Calling something like this https://signin.infusionsoft.com/logout?service=https%3A%2F%2Faccounts.infusionsoft.com%2Fapp%2Foauth%2Fauthorize%3Fresponse_type%3Dcode%26redirect_uri%3Dhttp%3A%2F%2Fwww.google.com%26client_id%3D123 Will work, but it is not officially supported and can break at any given time. I am hesitant to even post this :slight_smile:

replace your redirect_uri and client_id to yours.

Ouch! Okay, I will give it a try then! Thanks!