Guidance re. Refresh Tokens

Guidance for applications wrt dropping refresh tokens

This guidance is for the authors of Server-Side Web applications and Native applications that extract data from the Revolution Web API.

It concerns refresh tokens, and thus does not pertain to Batch applications, which aren’t issued with refresh tokens by the StatPro Revolution OAuth2 Server.

The guidance pertains to those Server-Side Web applications and Native applications that retain refresh tokens between application sessions, and by doing so don’t require a user to explicitly grant access to his/her data each time he/she uses the application.

If your application does not retain the refresh token between application sessions, and requires a user to grant access each time your application is used, then the guidance does not apply to you.

If your application does retain refresh tokens, it is StatPro’s recommendation that your application SHOULD:-

  • advertise the fact that you are ‘remembering’ the user’s authorization (i.e. the previously granted access)
  • provide the ability to ‘forget’ the user’s authorization, so that you will have to prompt the user for access to his/her per-tenancy data next time.

A weak form of forgetting about the authorization is to simply delete the refresh token from your application’s storage.

A stronger form (which can and should be performed in addition to the weaker form) is to tell the StatPro Revolution OAuth2 Server to revoke the refresh token so that it is deleted from StatPro servers, using the token-revocation endpoint.

Last updated: March 2019