Refresh Token - App Authentication

Lauren White

Hello,

If we use a refresh token that lasts for 365 days to authenticate our app, and we request a new one, will the previous refresh token instantly be invalidated? Or will it stay valid until the 365th day is reached? I'm trying to establish a process for switching authentication tokens. Thanks.

Alex Wong

@Lauren White
It depends on how you want it. When POST to the token endpoint, you can specific if you want to preserve the “existing” refresh token you have.

https://developer.blackbaud.com/skyapi/docs/authorization/auth-code-flow/confidential-application/tutorial#refresh-access-token

Lauren White

@Alex Wong
Yes, I've done that but we need to rotate the token. If I get a new one and ensure that it lasts for a year, will the old one (aka the one my app is using in production right now) instantly be invalidated?

Alex Wong

@Lauren White

The moment you refresh your token set and use do not preserve your refresh token, you will get a new refresh token with a new expiration. The refresh token you used to get the new token/refresh token set is no longer valid. I just tried this, and you will get this error:

{

"error": "invalid_grant",

"error_description": "The refresh token was not valid."

}

However, you can have multiple token/refresh token sets that are valid.

Lauren White

@Alex Wong
ah that's what I suspected happens. Thanks. We keep one refresh token for our app to use for many months at a time, but want to rotate it before it expires at the year mark.

Can you explain to me what you mean about having multiple token/refresh token sets that are valid? That sounds interesting.

Alex Wong

@Lauren White
Which ever way you get the first set of token (i.e. PostMan), do the same to get another set of token/refresh token pair. This new pair of token set is “distinct” from your others. When other set of token/refresh token is refreshed, it is not going to affect/invalidate all other sets of token.