I understand OAuth2.0 apps will not be able to enable or generate persistent refresh tokens after 2021-11-01. Will existing persistent refresh tokens generated before 2021-11-01 continue to work as persistent refresh tokens after the 2021-11-01 cutoff date? If not, when will their new expiration date be (immediate, 2021-12-01, ?)?
I was able to find these references:
Based on what those two describe, my assumption is that persistent refresh tokens will convert into rotating refresh tokens, but it feels important to confirm the details around this.
Based on my own testing, my assumption is:
- Existing persistent refresh tokens generated before 2021-11-01 will not continue to work as persistent refresh tokens after 2021-11-01.
- Existing persistent refresh tokens generated before 2021-11-01 will expire immediately on 2021-11-01.
These observations were made from testing what happens when I flip the persistent/rotating toggle back and forth in the OAuth config UI while trying various OAuth and API operations. I of course can’t know for sure if this exact behavior will be mirrored at the 2021-11-01 transition point.
We work with a lot of partners who configure their own OAuth apps. I have been disappointed to discover how much of our knowledge, guidance, and preparation around this transition has been left up to guesswork.