StatPro Revolution Web API
Authorization using OAuth2
Guidance for applications wrt dropping refresh tokens
This guidance is for the authors of Server-Side Web applications and Native applications that extract data from the Revolution Web API.
It concerns refresh tokens, and thus does not pertain to Batch applications, which aren't issued with refresh tokens by the StatPro Revolution OAuth2 Server.
The guidance pertains to those Server-Side Web applications and Native applications that retain refresh tokens between application sessions, and by doing so don't require a user to explicitly grant access to his/her data each time he/she uses the application.
If your application does not retain the refresh token between application sessions, and requires a user to grant access each time your application is used, then the guidance does not apply to you.
If your application does retain refresh tokens, then because:-
- users won't be able view and/or revoke their authorizations with the termination of the API Authorization Management website from the end of Q1, 2019
- a new token-revocation facility has been added to the OAuth2 Server
it is now StatPro's recommendation that your application SHOULD:-
- advertise the fact that you are 'remembering' the user's authorization (i.e. the previously granted access)
- provide the ability to 'forget' the user's authorization, so that you will have to prompt the user for access to his/her per-tenancy data next time.
A weak form of forgetting about the authorization is to simply delete the refresh token from your application's storage.
A stronger form (which can and should be performed in addition to the weaker form) is to tell the StatPro Revolution OAuth2 Server to revoke the refresh token so that it is deleted from StatPro servers, using the token-revocation endpoint.
Last updated: October 2018