Hello,

We are migrating from VNI to Visma Connect Authentication. In our product, a user needs to log in to Visma.net so we can save a token in database, that we can then use to make calls to the Visma.net API while the user is offline.

We have a problem when the user sets up multiple configurations in our app, with each configuration targeting a different tenant. With VNI, we used to store for each configuration the token along with the company ID. With Visma Connect, here is what we observe:

• User creates configuration #1 in our app.
• User logs in to Visma and selects company #1.
• We save the access token and refresh token for configuration #1.
  • Access token has the following payload:
    “tenant_id": "c3704d0c-21cc-11e9-b307-0aa512338dd6",
    "sid": "7c583778-90fb-8b76-849a-a2f43b4cd78a"
• While still in the same browser session, without logging out from Visma, user creates configuration #2.
• User opens the login page of Visma and selects company #2.
  • Access token has the following payload (same sid as first token):
    “tenant_id": " f11e02fc-8609-11ea-973a-0ac295605980",
    "sid": "7c583778-90fb-8b76-849a-a2f43b4cd78a"
  • There is only one access token visible in account settings page.

=> From that point on, the refresh token for configuration #1 cannot be used anymore, we get back an invalid_grant response when trying to obtain a new access token.

Changing the application settings so a refresh token can be re-used does not solve the problem. Refresh tokens per user is set to 5. The only way to make our product usable is to ask our users to log out from Visma before they set up a new configuration, or create the new configuration in a separate browser.

Is it by design that when a refresh token is created all the refresh tokens created during the same session are revoked? What can we do to solve this issue?

Thank you for your help.