We are pleased to announce that Forge Remote Access to tokens anytime, is now in Preview.
Extending oAuth token life
We understand that there are various use cases that require communication with Atlassian APIs from a remote back end without relying on a user interaction or product event. For example, you might need to trigger actions based on webhooks from other systems or utilise your own external UI.
In order to solve this problem, we have no extended the oAuth access token max TTL from 1 hour to 4 hours. As usual, the exp claim in the payload represents the expiration time.
Developers can configure scheduled triggers to periodically deliver new access tokens with a longer expiry time of 4 hours. These tokens can then be cached for later use to authenticate requests with Atlassian APIs.
This is a very useful feature, but it seems that only appSystemToken can be refreshed this way. Is that correct?
Our Connect app heavily relies on user-impersonated access (appUserToken), and we won’t be able to move to Forge unless we can obtain user tokens without relying on a user interaction or product event.
Could you clarify if this is the result of RFC-34? Or, is that treated separately?
Developers can configure scheduled triggers to periodically deliver new access tokens with a longer expiry time of 4 hours. These tokens can then be cached for later use to authenticate requests with Atlassian APIs.
The above mitigates the issue of a remote not having access to Forge APIs at any time. However, if the remote does not have a cached access token for some reason, it still cannot get a new token on its own and has to wait for the subsequent scheduled trigger request. Is that correct, or do I miss something?
Thanks for the clarification, @rmassaioli. I may not speak for everyone here, but this solution seems fine to me. I appreciate its simplicity, considering the complicated flows in the RFC.