Authentication

When the User Sync Client is authenticated against the authentication server using the password grant type, the User Sync Client receives a refresh token and an access token. The refresh token is stored in the User Sync Client configuration with the

<RefreshToken>

parameter in the SDK settings.

Access tokens contain the information that is needed to access a resource directly. When a client passes an access token to a server that manages a resource, that server uses the information in the access token to determine if the client is authorized.

Refresh tokens contain the information to obtain a new access token. When an access token is needed to access a specific resource, a client can use a refresh token to obtain a new access token issued by the authentication server. Refresh tokens are used when a client attempts to gain access to a resource for the first time and when access tokens have expired.

Refresh tokens expire after 30 days. Refresh tokens have a sliding window lifetime of 15 days. After 30 days, the client must reauthenticate, regardless of the validity period of the most recent refresh token acquired by the application.

After a first run, the User Sync Client removes the username and password rows from the configuration and replaces them with a refresh token. During each subsequent run of the User Sync Client, the refresh token is used to obtain a new access token from the authentication server and to submit the User Sync Client payloads to the resource server.

If the refresh token expires, the User Sync Client uses the username and password to reestablish the refresh token and access token automatically. The User Sync Client will not be able to reestablish the refresh token and access token automatically if any of the following items are modified in the

BlackBerry AtHoc

management system: client ID, client secret, username, password, and organization code.