We published a new announcement about this topic with the most recent information. Please head to Updated: 31 January 2022 - Action required - Deprecating persistent refresh tokens for more details.
Update (30 Nov, 2021): We’ve extended the deprecation period to January 31st, 2022. We’ll be shortly publishing docs and a new community thread with updated information on the change as discussed in this post.
Update (30 Sep, 2021): We’ve extended the deprecation period to November 30th, 2021 and have sent a reminder email to developers with impacted OAuth 2.0 integrations.
Update (6 Aug, 2021): We’ve heard your feedback and have extended the deprecation period through to the 1st November 2021.
What is changing?
We’re rolling out a breaking change for OAuth 2.0 integrations - formerly known as OAuth 2.0 (3LO) apps. This affects all OAuth 2.0 integrations that use the offline_access
scope to enable refresh tokens.
We’re migrating away from the current persistent refresh token to rotating refresh tokens. These are single use refresh tokens with a 30 day expiry time.
You’ll need to update your integrations to handle the additional the additional fields returned with a new refresh token. Learn more about rotating refresh tokens.
Why is it changing?
OAuth 2.0 integrations that require the offline_access
scope have an increased risk when it comes to their access tokens. A persistent refresh token does not expire and is able to request new access tokens for a long period of time.
Rotating refresh tokens issue a new, limited life refresh token each time they are used. This mechanism improves on single persistent refresh tokens by reducing the period in which a refresh token can be compromised and used to obtain a valid access token.
What do I need to do?
Firstly, consider if your app really requires offline_access
. If your app requires ongoing access you’ll be able to work with both the persistent and rotating methods during the deprecation window.
You can enable rotating refresh tokens from the developer console, like this:
- Select your integration in the developer console.
- Select Authorization .
- Select Use rotating refresh tokens from the refresh token options.
- Save your changes.
By when do I need to do it?
From Aug 4, 2021 persistent refresh tokens are deprecated. All new OAuth 2.0 integrations use rotating refresh tokens.
During the deprecation window you’ll be able to switch between both refresh token behaviors in the developer console.
From Jan 31, 2022 all OAuth 2.0 integrations must use rotating refresh tokens and the refresh token options in the developer console are removed.