We published a new announcement about this topic with the most recent information. Please head to Updated: 31 January 2022 - Action required - Deprecating persistent refresh tokens for more details.
Update (30 Nov, 2021): We’ve extended the deprecation period to January 31st, 2022. We’ll be shortly publishing docs and a new community thread with updated information on the change as discussed in this post.
Update (30 Sep, 2021): We’ve extended the deprecation period to November 30th, 2021 and have sent a reminder email to developers with impacted OAuth 2.0 integrations.
Update (6 Aug, 2021): We’ve heard your feedback and have extended the deprecation period through to the 1st November 2021.
We’re rolling out a breaking change for OAuth 2.0 integrations - formerly known as OAuth 2.0 (3LO) apps. This affects all OAuth 2.0 integrations that use the
offline_access scope to enable refresh tokens.
We’re migrating away from the current persistent refresh token to rotating refresh tokens. These are single use refresh tokens with a 30 day expiry time.
You’ll need to update your integrations to handle the additional the additional fields returned with a new refresh token. Learn more about rotating refresh tokens.
OAuth 2.0 integrations that require the
offline_access scope have an increased risk when it comes to their access tokens. A persistent refresh token does not expire and is able to request new access tokens for a long period of time.
Rotating refresh tokens issue a new, limited life refresh token each time they are used. This mechanism improves on single persistent refresh tokens by reducing the period in which a refresh token can be compromised and used to obtain a valid access token.
Firstly, consider if your app really requires
offline_access . If your app requires ongoing access you’ll be able to work with both the persistent and rotating methods during the deprecation window.
You can enable rotating refresh tokens from the developer console, like this:
- Select your integration in the developer console.
- Select Authorization .
- Select Use rotating refresh tokens from the refresh token options.
- Save your changes.
From Aug 4, 2021 persistent refresh tokens are deprecated. All new OAuth 2.0 integrations use rotating refresh tokens.
During the deprecation window you’ll be able to switch between both refresh token behaviors in the developer console.
From Jan 31, 2022 all OAuth 2.0 integrations must use rotating refresh tokens and the refresh token options in the developer console are removed.