We're migrating to OAUTH v2 and noticed that we can continue to make successful REST requests after a merchant uninstalls the app using refresh+access tokens from OAUTH2 flow.
We can refresh tokens and call other resources within app-scope.
You guys might want to address this and invalidate/revoke all refresh+access tokens upon app uninstall.
I made a longer post on this with examples but it is in "moderation"...
Hello,
I'm also experiencing an issue where OAuth v2 tokens remain valid even after a user uninstalls the app. This allows continued access to REST resources using refresh and access tokens. It's crucial to invalidate or revoke tokens upon app uninstallation to enhance security. Looking forward to seeing this addressed.
Best regards,
florence023
MyLowesLife
This whole expiring-token implementation seems completely half-assed.
- Documentation is incomplete and ambiguous.
- There is no clear limit on number of active refresh tokens per merchant;
- There is no clear explanation on the oauth flow on device install (is it a webview?)
- There are 3 contradicting responses from Clover on how to deal with long-term device tokens. One says they'll continue to work as is, another says they need to be migrated, and another says that you need to migrate first token, use it for 5 minutes and then get another device token. If that's not a "hacky" approach, I don't know what is.
- This forum is full of spam, unanswered questions and ai-generated nonsense.
How is it that FiServ (or whoever owns Clover now) is letting this happen is beyond me.
I've had my fair share or communications with both Clover Dev Rel, this forum and FiServ; This forum used to have a software engineer called David Marginian who was knowledgeable and actually looked into things internally for answers when things needed clarification like some of the documentation. I have seen some efforts here but nothing like David once did.
Clover developer relations remains the best way to get your technical questions out -- I've had mixed experiences for the more technical things, but for clarifying documentation they have been useful.
---
"There is no clear limit on number of active refresh tokens per merchant;"
I've had a talk with Kevin from Clover Dev Rel and he clarified it for me. Just like we have limits for the API rates at different levels, this refresh token limit is specific to merchants for a single app.
This means each merchant, can have 100 active refresh tokens for each app. This means that unless there is more than 100 employees logged in ONE app for ONE merchant, the app should not have any problems. If you have any questions about this, feel free to make a new thread and I'll answer. I don't want to hijack the thread.
Keep in mind Clover Dev Rel is overwhelmed with the amount of emails they are getting. I can only assume the lack of resources is the same way on the forum.
yes, things used to run a bit smoother 5+ years ago. it's been a while since i actually needed anything and i'm just surprised at the overall state of things. fiserv can certainly afford hiring someone to clean this up and to at least create a more appealing front (getting actual answers is another story)
clover docs were always a bit "off" but like you said - david was a huge help
thanks for the info on refresh tokens. we already implemented a refresh-token-rotation queue which will auto-discard bad refresh tokens (assuming once the limit is reached), but its good to know.
Volumo is your source of inspiration for creating unique DJ sets. Our electronic tracks, house tracks and dance releases are available in MP3, WAV, AIFF and FLAC formats. Download tracks from Volumo and enjoy the highest sound quality. Discover new opportunities at https://volumo.com/.
10 People are following this question.
