RaggedStaff
commented
2 months ago This seems to have broken the Shopify app when enabled (despite previous discussion & it appreantly being coded to handle not reusing refresh tokens 😖 ). Given we're at QA, can't really deal with this atm, so I've turned it back off (Refresh tokens are once again not being revoked and can be reused, potentially by multiple clients).
I'll put this back into To Do & we can discuss how to move forward on the next call (9/9).
We currently are not revoking refresh tokens, which means they can be reused multiple times (until a different token is used).
Recommended settings are to revoke immediately on first use.
Can we move to recommended settings ?
This has implications for platform behaviour - whether they reuse a stored token, or capture a new refresh token with every access token that is issued.