Hello folks! We’re migrating our API over to using a new internal provider for our OAuth 2.0 requests. This change will allow us to continue improving our support for OAuth standards like PKCE.
There should be no change required on your end to continue accessing the API. To see if you need to make any changes, we’ve identified some key changes below you should be aware of.
On 2021-08-20T12:00:00Z we will be rolling out the below changes, so you need to ensure the changes will not negatively impact your app before then!
(ordered by potentially required impact)
Access & Refresh Token Length Changes
Previously the access & refresh tokens were alpha numeric based lowercase values 64 characters in length. Newly issued access & refresh tokens will still be alpha numeric based but now mixed with uppercase values and up to 255 characters in length. All existing access & refresh tokens will continue to be valid in their existing format until they are refreshed.
New Client ID’s are now UUID-based
Previously the Client ID’s where alpha numeric based lowercase values 64 characters in length. The new Client IDs are UUID’s instead. We generated a new Client ID for each application, but have implemented backwards compatibility for your old Client ID. Once the feature is released, you can visit your applications page to find out your new Client ID.
Old Client ID:
New Client ID:
Client Secret Length Changes
Previously the Client Secret’s where alpha numeric based lowercase values 64 characters in length. Newly generated Client Secret’s are still alpha numeric based but now mixed with uppercase values and up to 255 characters in length. All existing Client Secret’s will be migrated so they will continue to work.
Old Client Secret:
New Client Secret:
Our introspection and revocation routes are now completely supported. You will be able to introspect tokens using:
https://glimesh.tv/api/oauth/introspectand revoke tokens using
https://glimesh.tv/api/oauth/revokeas per their RFCs.
Additionally PKCE will now be allowed so you can authenticate mobile & native clients without having to require your users generate their own keys, or accidentally sharing your client secret.
If you want to future proof your app, you can do the following after the feature has been released:
- Rotating your keys in your applications page. This will generate your a new secret to add to your app. You can use your newly generated UUID based Client ID as well. There is no need to refresh any of your tokens outside of their normal cycle, as they will be automatically refreshed into the new format as they expire.
- Monitor your apps logs & active users during the release to ensure there are no unexpected problems.
If you have any questions about this change, or if you need help implementing them, please reach out to us in the #dev-questions channel on Discord or if you are not on Discord you can email me at firstname.lastname@example.org