#dave_unexpected
rocky bladeBOT
👋 Welcome to your new thread!
⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.
⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.
🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1352011433973383258
📝 Have more to share? Add more details, code, screenshots, videos, etc. below.
vagrant cave
Hello there
I'm not familiar with the Stripe Pay Connector
Is this a third party connector/plugin?
atomic current
yeah let me provide some extra context
I'm a software engineer for Twilio. Twilio has an existing connection to Stripe as a Stripe extension. We are in the process of upgrading it to Stripe apps
as an extension, a single twilio account could have many connections to a single stripe account, all using oauth
But as a stripe app, it seems like, if I try to create more than one oauth connection to Stripe, it invalidates the previous oauth connection
so now, it appears like, with stripe apps, a single twilio account can connect only once to a single stripe account
and when I say "it invalidates the previous oauth connection", specifically it seems to invalidate the refresh token
vagrant cave
Sorry but still not quite understanding... you don't "oauth to Stripe" -- you would use OAuth to install the Stripe App.
Maybe a more tangible example would help me understand exactly what you are trying to do?
atomic current
Yeah I'll clarify some more, this isn't about Twilio specifically but rather how Stripe Apps handle multiple OAuth connections.
The behavior I’m seeing is:
When a Stripe Platform Account (acting as the OAuth client) connects to a Stripe Connect Account, an OAuth access token and refresh token are issued.
If I then create a second OAuth connection from the same Platform Account to the same Connect Account, the refresh token from the first connection immediately becomes invalid, even if it was never used.
My question is:
Is this expected behavior in Stripe Apps? Specifically, does Stripe enforce a rule where a Platform Account can only maintain one active OAuth connection per Connect Account?
Or should multiple OAuth connections (and their refresh tokens) be able to coexist?
Just trying to ensure we align our integration with Stripe’s intended OAuth model.
vagrant cave
Ah thank you for clarifying.
Yes this is expected, see: https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token
Refresh tokens are also rolled on every exchange, so the expiration time for the new refresh tokens is always a year from the date that it was generated or rolled.
The intention here is that there would only be one active refresh token per account
atomic current
Interesting, thanks for clearing that up! But I am curious, does it explicitly say this somewhere in the docs: "The intention here is that there would only be one active refresh token per account"
I see where it says this: "Refresh tokens are also rolled on every exchange, so the expiration time for the new refresh tokens is always a year from the date that it was generated or rolled." But that is not quite the same thing, right?
vagrant cave
I don't think it says it explicitly, no, but it is my understanding for how we have always handled these sort of tokens. That said, what is the use-case here for wanting multiple refresh tokens for the same account?
atomic current
it's more of a backwards compatability thing. I'm concerned that some of Twilio's customers have this exact arrangement going on. I agree that technically there shouldn't be any need for it. But since we have an existing integration as a Stripe extension, there is the possibility that when we upgrade to a Stripe app, some customer's connectors get broken
vagrant cave
Hmmm can you add logic to create a new refresh token to provide if one of your customer's hits this error?
atomic current
now that you mention it, that should be possible
vagrant cave
I don't think it was really ever intended for there to be multiple active refresh tokens, though I do see how that would be possible with the old OAuth flow.
So I think just handling this error gracefully will be your best bet here.
atomic current
gotcha. Well thanks again for the help!
vagrant cave
Sure thing!