List all authorized apps?

Panche_Srbovski · August 29, 2017, 9:49pm

Hi InfusionSoft Friends,

I just created an app and used the client_id to authorize against an IS instance.
How do I see a list of all authorized apps for an IS instance and their permissions?
Additionally, from the app POV, how do I see a list of all the IS instances that the app is authorized with?

Thank you

John_Borelli · August 29, 2017, 10:01pm

Don’t know of a way that you can. If you have more than one app authorized through your dev account then it would be far more advisable to manage this in a database since you would have to manage refreshing tokens anyway.

Panche_Srbovski · August 29, 2017, 10:59pm

Hey John so if we want to unauthorize previously authorized app there is no way to do that?

John_Borelli · August 29, 2017, 11:19pm

I’ll have to check. But I don’t think there is an “unauthorized” since the access key is only 24 hours good, just letting it expire amounts to the same thing because the user would have to give permission in order to re authorize.

TomScott · August 30, 2017, 4:54pm

I’m not clear on what you are asking here; when a user authorizes a partner app against an Infusionsoft Application, the app is sent an Access Token and Refresh Token in the redirect response and is expected to persist them. Those tokens allow a connection to the Infusionsoft Application that they were generated for, they are not a general-purpose user identifier.

Your flow should look something like this:

User creates an account on your app.
User clicks a button that redirects to Infusionsoft.
User chooses the Infusionsoft Application they would like to link.
User is redirected back to your app with the tokens.
You persist those tokens alongside your local user account.
You use that token to get information about the Infusionsoft Application in question.

The list of Infusionsoft Applications that the user has authorized would be the list of tokens that you have persisted for that user.

Panche_Srbovski · August 31, 2017, 3:02am

Hey @TomScott I guess I am looking for something similar like Facebook and Google are doing with the authorized apps on your account. Example would be this

and this where you can unauthorize manually from the UI.

Now @John_Borelli I am a bit confused with the “re-authorize after 24 hours” comment. My understanding is that you’d authorize (give an app permissions) only once using the redirect or the pop-up, and after that point you’d only refresh the access token moving forward with the methods of a SDK using the refresh token every 24 hours.

Would that be a correct assumption or is the re-authorization with the UI redirect and the drop-down required all the time?

The intent for the app I’m registering is to be used by AWS Lambda function that won’t be able to handle UI redirects, just programmatic token refresh.

John_Borelli · August 31, 2017, 3:20am

That’s correct, refresh. Re-authorizing would be if the token was allowed to expire and with refreshing you do not need human intervention any longer. But since the question was about de-authorizing maybe the wording got crossed. Still, let it run it’s course without refreshing and you no longer have a valid token.

TomScott · August 31, 2017, 5:00pm

We do actually have a similar interface that displays the list of authorized applications, although I don’t have any on my personal account to illustrate. It is located in Account Central on the detail modal for a given Infusionsoft Application under the Connected Apps header.

However, this is not something we expose via the API, and we generally do not have granular scopes on authorizations.

For Refresh Tokens, if you rotate as a cron job every six hours or so, you will always have a recent Token with a wide margin for maintaining the authentication.

Panche_Srbovski · September 1, 2017, 12:01am

@TomScott yes that is exactly what I was looking for, thank you It would be cool if there is a similar view from the custom app’s perspective in the dev portal to see which IS instances are connected, but this does the trick for now.

One last question (kinda related). If I understand correctly, you are saying that if the access token is left to expire, re-authorization will be needed so in order to not let that happen a cron would be needed to keep the access token always fresh?

TomScott · September 1, 2017, 4:45pm

I’m sorry, I just checked with our auth developer @bradb and I got the times wrong:

Access Tokens are now a 24 hour expiration, Refresh Tokens are set to expire after six months. The rotation would still be required via cron or triggered by a user login or somesuch, but not frequently.

Panche_Srbovski · September 5, 2017, 3:48am

Thank you @TomScott and @John_Borelli for your answers.

I just also stumble upon this Making OAuth Requests Without User Authorization - Keap Developer Portal talking about the keeping the access token fresh.

JVZoo_Developers · July 7, 2018, 3:49pm

So there is no way to get the list of infusionsoft authorized applications?

TomScott · July 7, 2018, 4:04pm

Not via an exposed API, no.

Federica_Zampieron · October 8, 2018, 10:17pm

Hi Tom,

I was wondering seeing if you could kindly help with my question perhaps? Thank you!

TomScott · October 9, 2018, 4:58am

Good evening @Federica_Zampieron!

If you have a question, feel free to post a new thread with the details, and we’ll do what we can to help.

Topic		Replies	Views
API request to re-authenticate with Infusionsoft application? API Q&A oauth , api	18	1328	February 5, 2019
OAuth2 vs. API Key API Q&A	3	608	December 15, 2018
Infusionsoft API flow API Q&A	6	757	March 8, 2018
Connect my app with infusion API Q&A	1	458	October 19, 2018
Infusionsoft SSO API Q&A	5	1583	February 24, 2018

List all authorized apps?

Related Topics