Expired refresh token will now require full re-authorisation??
We are in ongoing contact with support over the use of refresh tokens to obtains fresh access/refresh tokens, under the new regime. We have been advised that if a refresh token is not used, it will expire after a week (same as before) BUT a full re-authorisation will be required. This can only be done by an admin user, who may not be readily available. Our clients will not wish to give all our users an admin role.
We have many users of our app who run monthly reports, and have NEVER had to re-authorise. The refresh token just gets new tokens, which are stored, and life goes on.
Have we missed something? Has anyone else had the same experience?
API support have now replied as follows:
"Refresh tokens have a limited lifetime. If a refresh token expires, you cannot refresh silently anymore, at that point you must go back through the interactive consent step to get a new authorisation code and new tokens."
Some workarounds (that require us to research and develop) were suggested to keep the refresh token alive before the 7 day expiry.
Saying "you cannot refresh silently anymore" confirms to me that this used to be possible. Clearly it is no longer possible (which is going to cause our non-admin users grief), but there has been no statement about that in the documentation about these changes. Seems to me it was/is a pretty important change.
I'm marking this as a solution, which it isn't.
