We encourage anyone building new apps to use OAuth 2.0 but we will continue to certify OAuth 1.0a integrations until the end of March 2020. Please be aware that if you choose to launch with OAuth 1.0a you will be required to migrate it to OAuth 2.0 before December 2020
There’s no need for re-certification. Partners will be able to generate an OAuth 2.0 client id and secret for their existing partner app, which will give them no connection limit, as well as any special scopes they currently have. More details on this soon.
The concept of "app types" will be going away with OAuth 2.0. All apps will use the same authentication flow. Connection limits limits will be the main difference between certified (i.e. partner) and uncertified (i.e. public/private) apps. New apps will be able to connect with up to 25 organisations before they need to get certified to have the connection limit removed. Please see the OAuth 2.0 docs for more details.
All OAuth 2.0 apps will be able to maintain an offline connection (like partner apps can currently).
If you have a custom integration with multiple organisations (e.g an accounting practice or franchise) then get in touch with us at email@example.com, tell us more about your use case and we can adjust your connection limit accordingly.
We'll soon have a migration endpoint that will allow partner apps to swap existing OAuth 1.0a tokens for new OAuth 2.0 tokens. Users won't have to reauthorize your app. We expect the migration flow to be available mid December 2019 so expect a formal announcement soon.
We won’t be offering a migration flow for public or private apps. If you have clients using those apps then you will need to create a new OAuth 2.0 app and ask them to re-authorise.
We have released 4 new SDKs (.NET, NodeJS, PHP, Java) all built from the ground up with OAuth 2.0. We'll be adding Ruby and Python by March 2020. We don't have any plans to add OAuth 2.0 support to the OAuth 1.0a SDKs.
The redirect URL will return a code in the query string, but we will not display it in the browser. The use of a redirect URL is required in OAuth 2.0.