question

msargent avatar image
msargent asked Matt answered

Expiring Access Tokens for Hybrid Web and Android App

I'm looking for some guidance with the upcoming requirement for expiring access tokens.

The eCommerce system I work with has a Clover web integration for processing orders/payments and an Android app that's main use is onboarding new Clover merchants from Clover devices. The Android app generates an access token and sends it to our web API endpoint and is meant to be one-time use but merchants can manually update their access token from there as well.

It appears that updates will be needed on the web portion of the integration to migrate existing merchant API tokens ( https://docs.clover.com/docs/legacy-token-migration-flow ), and also to manage expiring tokens. However, it is unclear to me if changes are needed for the Android app.

My main questions are:

1) Does the Android onboarding app that uses CloverAuth.authenticate() need any changes to manage expiring access tokens or to save refresh tokens? I noticed this post has a similar question but at the time of posting this has no responses yet: https://community.clover.com/questions/62792/epxiring-access-tokens-for-android-and-oauth-for-c.html

2) The docs mention that "Frontend apps that use OAuth to authenticate users to their own apps often don't need a refresh token." ( https://docs.clover.com/docs/refresh-access-tokens ). How do I know if the Android app that sends an access token to our app's web API needs or doesn't need to create the refresh token?

Thanks for any help.

REST APIClover Android SDKOAuthAPI Token
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

6 Answers

·
michaelelias avatar image
michaelelias answered

I'm working on this exact same problem. I've tried exchanging the auth token obtained from CloverAuth.authenticate() using the migrate_v2 oauth endpoint to receive an access / refresh token pair, but that doesn't work. The migrate_v2 endpoint returns and error saying "No Auth token with ID {auth-token} found.".

Do we need to be able to support auth tokens obtained from an Android app for use in our server to communicate with the Clover API as well as an access / refresh token pair obtained from authenticating through the Web?

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

wm1 avatar image
wm1 answered

Bumping and cross-posting this as we need a response from Clover preferably a few weeks before August 1st refresh token change goes live. There are several posts on this, but there is no clarity, or answers. We're just playing a guessing game.

We have an OAUTH flow for merchants to "link" their Clover, however we also have a native app which is how the vast majority of merchants start their journey.

We use CloverAuth.authenticate() (in native app) to get a token, which we then use to talk to Clover Rest API. There's even an example here describing that this token can be used to query Clover API: https://docs.clover.com/docs/query-web-services

As per @MichaelElias post - it sounds like this token CAN NOT be "migrated". So the questions are:

1. Is the token received via CloverAuth.authenticate() a long-term token and is different from OAUTH token?

2. Can the token received via CloverAuth.authenticate() be used to make REST API calls?

3. If the token received via CloverAuth.authenticate() can be "migrated" (in future?) - will it invalidate an oauth refresh-access token AND similarly, will a new OAUTH token-pair invalidate the sdk token OR can these two co-exist


Other posts on this issue

https://community.clover.com/questions/62792/epxiring-access-tokens-for-android-and-oauth-for-c.html

https://community.clover.com/questions/63628/refresh-access-token-with-sdk-and-api.htm

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

harry625 avatar image
harry625 answered wm1 commented

Hi msargent,


For managing expiring access tokens in your Android onboarding app using CloverAuth.authenticate(), it's recommended to implement token refresh functionality to ensure seamless API access without manual updates by merchants. As per the Clover documentation, frontend apps typically don't require refresh tokens for their own authentication flows unless continuous access is needed beyond initial authorization. Evaluating your app's specific use case with Clover's API integration guidelines will clarify whether a refresh token is necessary for your Android app.


Hope this helps clarify your approach!

1 comment
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

wm1 avatar image wm1 commented ·

@Harry625 This is not helpful. Can you please provide clear answers to below?

You write:
>>For managing expiring access tokens in your Android onboarding app it's recommended to implement token refresh functionality to ensure seamless API access without manual updates by merchants.

It seems that the token received in CloverAuth.authenticate() can not be exchanged for a pair of refresh+access token. See @MichaelElias reply above - The migrate_v2 endpoint returns and error saying "No Auth token with ID {auth-token} found.".

>> Question:
Since CloverAuth.authenticate() token can not be migrated, can we continue to use it "as-is" in REST API requests as described here in #3: https://docs.clover.com/docs/query-web-services


Our merchants can use the native app AND/OR from a web-app. Web-app has OAUTH flow implemented, and Native app uses CloverAuth.authenticate(), caches the token in-app, sends it to our backend and we use it for REST requests. .

>> Question:
Will generating a pair of refresh+access tokens via OAUTH invalidate (or have any affect) on the CloverAuth.authenticate() token for the same MID?

0 Likes 0 ·
wm1 avatar image
wm1 answered

Bumping again. There are at least 3 more posts on this topic and none are answered.

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

msargent avatar image
msargent answered msargent commented

I was away from this project for a while but picking back up on it now. I did receive an email response from Clover dev relations on June 21st that stated:

So I was able to check this with our team here and they confirmed that device tokens obtained from the CloverAuth.authenticate() method won't be affected by the deadline (August 2024) in light of the expiring tokens.

You'll be able to continue with your existing functionality until further notice.

Communication will be sent out with plenty of notice if this changes, or when it is planned to address expiring tokens in the context of device tokens.

This is good to hear since I would need to line up an Android developer to make changes to the Android portion of the app and an August 1 deadline would be too tight at this point.

However, the Clover dev relations response seems to be in conflict with harry625's response:

For managing expiring access tokens in your Android onboarding app using CloverAuth.authenticate(), it's recommended to implement token refresh functionality to ensure seamless API access without manual updates by merchants.

I'm really hoping I don't need to update the Android app at this point since as I mentioned there is just not enough time to do so.

I am working on adding the expiring access tokens to the web integration though and I am running into issues.

I created a new post that details the issues I'm experiencing here:

https://community.clover.com/questions/64549/problems-with-migrating-access-tokens-in-web-integ.html

2 comments
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

wm1 avatar image wm1 commented ·

@msargent - do you use tokens received via CloverAuth.authenticate() for REST calls? The answer you got from Clover is still a bit ambiguous (your existing functionality might be different from ours). I'm hoping that their response does mean that these tokens will continue to work from for SDK and REST

We ran into issues migrating device-tokens as well, and we decided to simply push all merchants through the oauth2 flow to get new refresh-access pair. Our app will still continue to use authenticate() until we hear that this is changing. So in our case we'll have sdk device-token and new refresh+access token available to make rest calls.

0 Likes 0 ·
msargent avatar image msargent wm1 commented ·

Yes, the tokens generated with CloverAuth.authenticate() are used for REST calls. Our eCommerce interactions with Clover are all REST based, the Android app is mostly just used to generate the initial token from Clover devices.

0 Likes 0 ·
Matt avatar image
Matt answered

Hi all,

could you confirm that the CloverAuth.authenticate() token continues to use it "as-is" in REST API requests?

TIA

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community