OAuth 2.0 Token Management

Beyond implementing the screens and business logic of your application, you must include code to interact with the Infor Authorization Server (AS) to obtain a valid token that allows you make calls to your selected APIs via API Gateway.

The diagram below shows the sequence of calls that happens back and forth between the authorization server, the mobile application, and API Gateway.

The authorization sequence begins when the application launches the sign-in process. The application loads an authorization page in the browser or within the application (based on your preference); the URL includes query parameters that indicate the type of access being requested. The result is an authorization code, which the application can exchange for an access token and a refresh token.

By default, access tokens have limited lifetimes (currently about two hours). If your application needs access to an API Gateway beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens. The application should store the refresh token for future use and use the access token to access an API Gateway. Once the access token expires, the application uses the refresh token to obtain a new one.