OAuth access token / refresh token behaviour

I’m writing an Alexa Skill that integrated into Jira via Account Linking, which uses OAuth 2.0.

The integration works great, and the Alexa ecosystem does a great job of managing the Account Linking and initial access token request from:

https://auth.atlassian.com/authorize?audience=api.atlassian.com&prompt=consent

However, that token expires (after 20 to 30 minutes?) and the Alexa skill does not refresh the token. I have this URL configured in Alexa as the refresh URL:

https://auth.atlassian.com/oauth/token

Is it possible to confirm that the refresh end point meets the specification required by Alexa:

https://developer.amazon.com/en-US/docs/alexa/account-linking/requirements-account-linking.html#access-token-uri-requirements

I’ve also seen mention of an “offline_access” scope. What is this, and where is it documented?

Thank you in advance for your help!

1 Like

I’ve just answered my own question (again)!

From:

https://developer.atlassian.com/cloud/jira/service-desk/oauth-2-authorization-code-grants-3lo-for-apps/

A refresh token can be returned with the access token in your initial authorization flow. To do this, add the offline_access scope to the scope parameter of the authorization URL.

2 Likes