0

I am working with Spring 5 and Java 8 and creating a RESTful client that will login to CoinBase and make trades for me at given times. I know there is an unsupported Java SDK for Coinbase out there, and I am looking into that code as well for clues.

I am using the CoinBase Oauth2 client in my Spring app, and it has been very successful so far. I make the authorization call with a callback URL. This opens up a dialog box and if I am logged in, asks me to authorize My Coinbase Acct with MyApp and I get an email indicating that this is done. If I am not logged into Coinbase already, then I get asked for my Coinbase username/password and then it is authorized, again I get an email that this is ok.

The next step I see is that my redirect URL is called with a code that is passed back with it. That code, as you all know, then allows me to request an access token. Which I can do, and yes, I get my access token. I can now make calls to Coinbase API with that Access token. However, this access token is only good for 7200 (seconds?), so for two hours? I want to be able to get an access token and have this automatically login to coinbase for me. I don't want to have to re-authorize every time I want to make a trade ... or do I have to?

It seems to me that the "code" that comes back from authorizing is very short lived, and I can use it immediately to get that access token.

So, for me the big question is ... for Coinbase API, how can I keep myself authorized indefinitely? I want to be able to be authorized already, and then get an access token on a regular basis so I can make trades for myself????? Is this even possible with coinbase API? Do I have to use Coinbase Pro for that ability, which I am fine with using? Is it even possible with Coinbase Pro?

I am a newbie with Coinbase as it's yet another third-party API that I have learn the nuances of. I am not a newbie when it comes to writing Java code to access third-party RESTful api's. So, any help would be much appreciated. Thanks!

tjholmes66
  • 1,850
  • 4
  • 37
  • 73
  • I believe you are missing refresh_token probably passed to you with token itself. You can use it to expend token lifetime. Google said that there is one: https://developers.coinbase.com/docs/wallet/coinbase-connect/access-and-refresh-tokens – Ivan Baranuk Nov 21 '19 at 12:37

1 Answers1

1

I guess you are missing 'refresh token' in your application. What is the purpose of a "Refresh Token"?

It is hard to say how to implement it without code snippets but here some steps that should help:

  1. Take a look at coinbase article about refresh tokens they provide https://developers.coinbase.com/docs/wallet/coinbase-connect/access-and-refresh-tokens

  2. Obtain and save refresh_token as well as token after authorization

  3. Create function that will be using your refresh token to obtain new pair (token, refresh_token). You can find curl example in step (1)

  4. a. Make ExceptionHandler that will call (3) if gets 401 (i guess it is 401 - if token expired)

    b. Save 'expires_in' from step 2 and check it before each request. Call (3) if needed

Ivan Baranuk
  • 185
  • 1
  • 13
  • This helps. After posting my question, I went back and read this documentation. Yes, Coinbase says the refresh_token is non-expring (unless we expire it), so I am now storing the refresh_token into my database along for this particular user. When a cron job runs my back-end code, it gets my refresh_token, and uses that to get a new access_token and refresh_token, and then I put that refresh_token back into the database to be used again. If the refresh_token doesn't work, then the user has to re-authorize and get a new token. Does that sound right? – tjholmes66 Nov 25 '19 at 18:08
  • I am assuming now you requesting new access_token (using refresh_token) on each operation. It is workable. But I'll still suggest you to catch Unauthorized exception/take eye on expires_in and request new access_token once old one is expired. – Ivan Baranuk Nov 26 '19 at 08:31
  • Btw It is definitely not requirement by any means. Just a good thing. I believe there should be some security holes against using refresh token (and re-authorize) on each request but I can be wrong on that. – Ivan Baranuk Nov 26 '19 at 08:40