Lifespan of existing OAuth2.0 persistent refresh tokens created before 2021-11-01

I understand OAuth2.0 apps will not be able to enable or generate persistent refresh tokens after 2021-11-01. Will existing persistent refresh tokens generated before 2021-11-01 continue to work as persistent refresh tokens after the 2021-11-01 cutoff date? If not, when will their new expiration date be (immediate, 2021-12-01, ?)?

I was able to find these references:

Based on what those two describe, my assumption is that persistent refresh tokens will convert into rotating refresh tokens, but it feels important to confirm the details around this.

Thanks

1 Like

Based on my own testing, my assumption is:

  • Existing persistent refresh tokens generated before 2021-11-01 will not continue to work as persistent refresh tokens after 2021-11-01.
  • Existing persistent refresh tokens generated before 2021-11-01 will expire immediately on 2021-11-01.

These observations were made from testing what happens when I flip the persistent/rotating toggle back and forth in the OAuth config UI while trying various OAuth and API operations. I of course can’t know for sure if this exact behavior will be mirrored at the 2021-11-01 transition point.

We work with a lot of partners who configure their own OAuth apps. I have been disappointed to discover how much of our knowledge, guidance, and preparation around this transition has been left up to guesswork.