In the sandbox, when changing marketplace app / API permissions I need to uninstall and reinstall the app from the marketplace in order to get an API token that has the updated permissions. Simply using the OAuth flow to obtain a new API token gives the old permissions, not the new permissions.
Is this a bug or is this how it's supposed to work? If so, how are we supposed to update permissions on production? Asking merchants to uninstall and reinstall the app is not a solution.
The OAuth flow allows one party (the merchant) to provide another party (the app) access to their data. This process is initiated when a merchant chooses to grant access to a third-party by reviewing the requested permissions and installing an app. It is by design, that if an app changes permissions the previously aquired access token will not reflect the new permissions. This makes sense, the merchant hasn't granted your app the new permissions. If the previously acquired token reflected the new permissions applications could obtain access to data without the merchant's authorization.
So, yes, unfortunately the answer is that when you change your application's permissions the merchant must perform a re-install, and, you must obtain a new access token. This is why we request developers to strongly consider the permissions their app requires before approval and release into the App Market. In this regard, hopefully most permission changes are done to support new functionality (not mistakes that prevent your app's core functions from working). One option for handling this is to gate the new functionality and notify merchants that a new feature is available but won't be enabled until an uninstall/re-install is performed.
1 Person is following this question.
