Since Invantive email received yesterday (Upgradeverzoek Invantive Query Tool op …)
We have upgraded to 22.0.647 the login to Exact Online fails with an error itgenoam010:
Can not log on to ExactOnlineAll using 'https://exactonlineclientredirect.invantive.com'.
Please check that the redirect URL is correct and is not redirected to another while loosing a token.
There seems to be a deviation from previous releases when the so-called “Implicit Grant Flow” is used. This is an authentication process in which the authentication is solely for 10 minutes, instead of longer as used by the “Code Grant Flow”.
It is recommended to activate the “Code Grant Flow” while the bug is being sorted out. Activating the “Code Grant Flow” is quite simple:
either provide a value for client secret in the log on form for Exact Online as shown in picture below,
or specify the client secret in the connectiong string using client-secret=VALUE.
The client secret can be found in the Exact App Center as described in:
An additional advantage that the needs to enter the verification code significantly reduces, since a so-called “refresh token” is acquired which stays valid on Exact Online unless generated on another device.
In version 22.0.657 several improvements have been made, rendering specification of the client secret obsolete. When specified, it will be used to improve log on performance.
One question here : did Exact updated their token policy ?
We switched to Implicit Grant Flow sometime ago because we have multiple divisions inside ExactOnLine and the Code Grant Flow is only valid for one division.
Both the Implicit Grant Flow as the Code Grant Flow technically work identical once an access token has been acquired. The Code Grant Flow equals the Implicit Grant Flow plus acquiring a so-called refresh token that when not used only expires after 30 days (up to 2021 unlimited lifetime). The refresh token can be used to at most once per 9,5 minutes acquire a new access token, even days later. However, a refresh token is sadly enough invalidated when the authorization flow is executed elsewhere for the combination of user and client ID.