Ah ok. In your case the behavior seems logical to me:

- Refresh token is not renewed at all because your setting is 'Re use'

- Expiration is set to '30 days'

- With every new access token, the refresh tokens remains equal to the 1st one

Because the access token is not renewed and expiration is set to '30 days', it makes sense in this case that after 30 days the refresh token is invalidated.

In my case, however, I set refresh token usage to 'One time'. With every new access token I also get a new refresh token (which should be valid for 30 days each in my opinion). After 30 days the newly received refresh token (which is created that same day) is invalidated within 1 hour, whereas I would expect that only the very first access token would be invalidated if it hadn't be used after 30 days. Other API's with oAuth I know all work that way.

@Visma?

Hi Sander,

Thank you for your reply. I'm afraid that changing that setting doesn't solve the issue.

We had the setting 'Refresh token usage' at 'Re use' a few months ago. In that case, the refresh token stays always the same and will expire after the amount of days set in 'the refresh token expiration is set to', which we experienced at that time. Changing it to 'One time' resulted in a new refresh token with each access token renewal. In my opinion these  unique refresh tokens should be valid until used or when the expiration interval has passed. That is the behavior we see with other API's we connect with.

Currently, a new refresh token is created/provided each time but the refresh token expires after the very first refresh token was created / user gave consent in oAuth flow.

Is this a bug in Visma or am I missing something?

Thank you!

Mathijs

Hi Mathijs, the refresh token lifetime is always based on initial codeflow. It determines how long you can use the app without having to log in again. One time use is only an additional layer of security. If every new refresh token would have its own expiration time, then you would effectively have an unlimited use in combination with the setting but will expire if not used in. 

You will find other examples of this practice, for example https://developer.okta.com/docs/guides/refresh-tokens/main/#:~:text=Note%3A%20When,user%20first%20au....

Let us know if this answers your question.

Hi Marten,

I understand but it's not quite ideal when connecting from a background application

and I haven't seen this behaviour in other API's.

But ok .. i set the expiration period to 180 days to minimize maintenance.

Thanks for your explanation.

Best regards,

Sander

Hey Sander,

You should use a service application instead of a web-application for this use case. Access to your app will be granted through the app store, and you won't have this problem.

This will let you authenticate using client_credentials with a tenant id instead.

> This will let you authenticate using client_credentials with a tenant id instead.

Only works if you can store the secret securely.

Otherwise you need to create one service application for each tenant.

Hi Adrian,

Thanks for you input. Unfortenately I can't keep a client secret secured, that why I use a native app.

Still think that the expiration period of a refresh token should be sliding since last use

instead compared to the first user consent.

Best regards,

Sander

Thx for the update Sander!