Recommended way to introduce new scopes to existing clients

Hi,

We have a new proxy that is verifying the access tokens using new scopes.

We would like an existing developer app to include the new scopes so we have added the new scopes to the associated API product.

When the new access tokens are generated, then it contains the new scopes as expected.

However, our apps use the refresh token (after the initial access token expires) to generate the new access token. The apps continue to use the same refresh token to generate a new access token until the refresh token expires.This is because ReuseRefreshToken is set to true in the RefreshAccessToken policy. By using an existing refresh token (before the scope was updated in the API product), the new access tokens still have the old scopes.

What is the recommended way for the access tokens to get the new scopes? I had a couple of options that I was considering.

1) Change the ReuseRefreshToken to false to force the client apps to generate a new access token and refresh token. Hence, will pick up the new scopes.

2) Let the refresh token expire.Then generate a new access token which will now contain the new scopes.

3) Any other ideas?

The main thing that I want to avoid is any performance issues to the system. I am more inclined to go with option 2 myself. Just wanted to know anyone else thoughts?

Thanks!

0 1 179
1 REPLY 1

sjm2000
Participant V

i would suggest to directly communicate this with your major clients who are the real stakeholders , and get their opinion. Finally API clients are like our customers 🙂

If you ask me, use option 2 and i hope the refreshtoken expiry is not too long.But inform the client and get their concurrance for seamless transition.