Update: We’ve heard your feedback and have extended the deprecation period through to the 1st November 2021.
We’re rolling out a breaking change for OAuth 2.0 integrations - formerly known as OAuth 2.0 (3LO) apps. This affects all OAuth 2.0 integrations that use the
offline_access scope to enable refresh tokens.
We’re migrating away from the current persistent refresh token to rotating refresh tokens. These are single use refresh tokens with a 30 day expiry time.
You’ll need to update your integrations to handle the additional the additional fields returned with a new refresh token. Learn more about rotating refresh tokens.
OAuth 2.0 integrations that require the
offline_access scope have an increased risk when it comes to their access tokens. A persistent refresh token does not expire and is able to request new access tokens for a long period of time.
Rotating refresh tokens issue a new, limited life refresh token each time they are used. This mechanism improves on single persistent refresh tokens by reducing the period in which a refresh token can be compromised and used to obtain a valid access token.
Firstly, consider if your app really requires
offline_access . If your app requires ongoing access you’ll be able to work with both the persistent and rotating methods during the deprecation window.
You can enable rotating refresh tokens from the developer console, like this:
- Select your integration in the developer console.
- Select Authorization .
- Select Use rotating refresh tokens from the refresh token options.
- Save your changes.
From Aug 4, 2021 persistent refresh tokens are deprecated. All new OAuth 2.0 integrations use rotating refresh tokens.
During the deprecation window you’ll be able to switch between both refresh token behaviors in the developer console.
From Nov 1, 2021 all OAuth 2.0 integrations must use rotating refresh tokens and the refresh token options in the developer console are removed.