Integration Development: Sliding Expiration of Refresh Tokens
In previous versions of MYOB Acumatica, a user had to reauthorize a connected application to work with MYOB Acumatica every 30 days. In MYOB Acumatica 2024.1, a developer can configure the sliding expiration of refresh tokens for the connected applications.
How to Configure the Sliding Expiration
On the Connected Applications (SM303010) form, for any connected application that has the Authorization Code, Resource Owner Password Credentials, or Hybrid flow, a developer can select the Sliding Expiration mode in the Refresh Tokens section in the Summary area, as shown in the following screenshot. The developer can also specify the length of the sliding lifetime and indicate whether the refresh tokens for the application have an absolute lifetime.
How the Sliding Expiration Works
When a user grants the offline_access scope (along with the api or openid scope) to a connected application, the application receives a refresh token and an access token. The application then can access data in MYOB Acumatica during a specific period of time, which is specified in the response that returns the access token. When the access token expires, the client application can request a new access token by providing the refresh token to the token endpoint. The refresh token can be provided anytime within 30 days of the first issuing of the token.
If during these 30 days, the connected application provides the refresh token to the token endpoint, the period of time for which the new refresh token is valid is extended for the time that is specified in the Sliding Lifetime (Days) box on the Connected Applications (SM303010) form, as shown in the following diagram. The lifetime of the refresh token can be extended multiple times by the period of the sliding lifetime until the total lifetime of the refresh token from its initial issuing exceeds the number of days that is specified in the Absolute Lifetime (Days) box. If the Infinite check box is selected for the absolute lifetime, the lifetime of the refresh token can be extended endlessly.