I am working on enabling customers to grant full access to an OAuth v2 app via Bitbucket. The Bitbucket admin is directed to a page where they can authorize the app to access their Bitbucket account on their behalf. However, during testing, I encountered an issue with the app’s refresh token.
It seems that the refresh token is only usable once and is not persistent for generating access tokens over time. This creates a potential instability, as any failure to properly store the refresh token—due to any reason (network, database, server crash etc) — results in the loss of access to the app for the user.
I want to avoid having customers approve the app more than once, as the platform is designed for the setup to occur only once. In some cases, the Bitbucket admin might not have further access to the platform later on, and they may not even be aware that there’s an issue with the refresh token.
Is anyone else experiencing this? Are there any solutions or best practices for ensuring persistent access without relying on a single-use refresh token? Any guidance would be greatly appreciated!