question

kirank avatar image
kirank asked kirank answered

OAuth 2.0: Refresh token

Hi,

This question has been asked before. Can we please have a refresh token in the OAUTH flow?

Here are the reasons we are needing it:

1. Refresh token is to keep merchants operations smooth.

2. Clover has newly introduced Ecommerce APIs. Its difficult to make use of those at enterprise grade without automatic renewal of access code.

3. Specifically imagine a single merchant forgetting to manually renew the Oauth of an app and that app's backend is using Ecommerce APIs to accept payments (Developer Pay replacement) then that single merchant will loose his business.


OAuth
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered David Marginian Deactivated edited

Yes, I would like to see us supporting refresh tokens as well. We do have an internal issue to support this but I cannot provide you with an ETA.

For #3, your application can work-around this. For example, when the merchant logs in to your application, you can make a simple REST call and if you receive a 401 you can redirect the merchant through the OAuth flow again. I understand this isn't ideal but it avoids the merchant from having to lose business as you suggested and it isn't terribly difficult to implement.

4 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

kirank avatar image kirank commented ·

@David Marginian - Thanks much. Just adding more +1s for the refresh token request.

For #3, yes its a workaround potentially doable - but has a many edge conditions. For example, this assumes merchant (specifically owner) logs into the app every day. In our usage owner logs in occasionally perhaps a few times a week.


Please note that loss of business was restricted before as apps could do less in bulk before the ecommerce API. With E Commerce API being enabled, it allows easy subscription models. You can imagine it exposes more areas where this becomes a problem.

We looked at many OAuth providers. Everyone provides a refresh_token.


1 Like 1 ·
David Marginian avatar image David Marginian ♦♦ kirank commented ·

Unfortunately, the only way around this is to securely store the token (which was an assumption of my previous post).

0 Likes 0 ·
mac-s-g avatar image mac-s-g commented ·

thanks for the answer. is there any way to track development status on this?

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ mac-s-g commented ·

No, there is not. I am watching the issue and haven't seen a lot of movement.

0 Likes 0 ·
jmalone30 avatar image
jmalone30 answered David Marginian Deactivated commented

Any progress on this?

I am developing an app that allows a 3rd-party app to communicate with Clover. After the first time the merchant configures my app, there is no need to visit my app ever again, if the merchant chooses. So it is impossible to enforce the manual oauth process after the original API Token expires.

The only thing I can think of is to generate an email notification to visit the app, which seems a bit awkward.

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·

No, there has been no progress.

0 Likes 0 ·
ggior32 avatar image
ggior32 answered David Marginian Deactivated commented

It has been close to a year since the last update, has there been any progress on this? We run a web service and are going to start running into hundreds of MID's needing manual refreshes. The current solution of manually prompting the user through the Oauth flow is a pretty awkward solution.

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·
Unfortunately, we don't have any updates on this.
0 Likes 0 ·
jmalone30 avatar image
jmalone30 answered

I've been asking for almost 2 years now! Any update on Oauth Refresh Tokens? Will they be implemented any time soon? I have to notify my clients every year that they need to log into Clover to re-authenticate. This is a royal pain for me and for them.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

artem avatar image
artem answered

Same here. Need a way to refresh token without asking for the merchant to relogin every year.

Refresh seem to be a standard function among all other services we have integrated in our app (like google oauth, outlook oauth, stripe oauth, paypal oauth).

Clover is the only one missing that at the moment.


Any chance to get an update on the current status?

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

kirank avatar image
kirank answered

2023 Update: Finally we seem to be getting this early/mid 2023 https://community.clover.com/articles/43143/expiring-auth-tokens-coming-in-2023-2024.html

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community