AnsweredAssumed Answered

Refresh Token being exchanged when access token refresh is required

Question asked by bparkerlatitudegeo on Nov 15, 2019
Latest reply on Nov 18, 2019 by MBranscomb-esristaff

I've been troubleshooting an issue with OAuth token refresh issues in our app that started around the time we updated to 100.6.  The issue is manifesting as users needing to re-login every app launch.

 

Our app is using the OAuthAuthorizationCode grant type so we can retrieve a refresh token.

 

It appears that the runtime is making an "exchange_refresh_token" request instead of a standard "refresh_token" request when an access token has expired.  We haven't seen this behaviour prior to 100.6.  We have been caching the refresh token so our users would not need to login on every app restart, but with this change to "exchange_refresh_token" we no longer have a valid refresh token cached if the user is using an app longer then 30 minutes (access token length).  I cannot discover a way to detect when the refresh token is change.  The credentials object does have a PropertyChanged event, but this is not invoked when the refresh token changes, only when the access token changes.

 

This is a major breaking change for our app and I'd like to understand why the runtime is making an "exchange_token_refresh" request.  Was this introduced in 100.6?  If it was, was it to solve a specific issue or improve security?

 

 

Would someone be able to point me in the direction of how to detect when the refresh token is updated by the runtime?

Outcomes