We are attempting to auto-renew Square OAuth access tokens automatically (on a daily basis) to avoid service interruption. One thing we are confused on is when exactly access tokens can be renewed.
The Square API OAuth overview page mentions:
Square OAuth access tokens expire after 30 days with a grace period of 15 days. Applications must manually renew expired access tokens within the 15 day grace period.
The Oauth token details reference page mentions:
If you attempt to renew an unexpired token, the token's lifetime is not extended.
Does this mean that you can't extend a token's lifetime until it expires (within the 15 day grace period)?
If so, do expired access tokens still work within that 15 day grace period?
I believe that wording is a bit confusing. In the docs we have:
OAuth tokens cannot be renewed until they are at least 24 hours old.
When you renew an OAuth access token, you most likely will get a different access token, so it's technically not extending the token's lifetime, because it's actually making a new token with a new expiration date.
Related
Application is intended to be used by the company for managment of intercompany documentation. These documents can contain valuable information, so it must be secure application. I am using Oauth2 with access and refresh tokens. Access token is valid for 15 minutes and refresh token is valid for 1 day.
I have not found any recommended lifetime for tokens.
Is 15mins for AT and 1 day for RT good? If yes, why these values are good enough OR are not good enough?
What is optimal lifetime for AT and RT for application which must be really secure.
Thanks a lot!
Gmail vs. bank accounts.
I can't tell where your business falls under. You should sit in in a meeting with your product team and explain what happens and let them decide. It's ok if it takes some try and error to get the right number.
But for Gmail the refresh token almost never expires. I can't think when was the last time I had to enter my credentials again.
For banks, the refresh token seems to be valid for only 10 minutes and if you background the bank app then you won’t be able to get a new refresh token and so you get signed out. Like my bank of America app. If I keep the app open then the app will continue to refresh the token.
And obviously refresh token expiry time should be more than your average user's session time.
I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long.
So I decided for my project:
access-token-lifetime: 1 day
refresh-token-lifetime: 30 days
But what is a typical lifetime of an authorization code?
Am I right that it should be really, really short?
Maybe like 1 hour or even only a few minutes?
I could not find any "best practice" for this..
All of this is standard but configurable i most identity / auth servers.
Authorization code
When the user consents an application accessing their data they are returned an authorization code. This code is only used its normally good for five minutes. anything lower than that would probably cause you issues with clock skew and there is really no reason IMO for it to be longer.
access token
Access tokens are returned after the authorization code has been exchanged. The access token. Access tokens are most often only good for 60 minutes.
Refresh tokens
refresh tokens are long lived tokens. The following are googles standard.
Refresh tokens are good for six months but this time is sliding.
If an refresh token has not been used for six months by an application then the access is revoked.
A user can also revoke the access as well at anytime.
depending upon the scope requested. Some refresh tokens expire after the user has changed their password
Again the above are just google standards. On the identity server I work on at work. I think the current settings is one month of non usage a refresh token expires.
Just found an answer on an other site:
The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds.
Source: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
It depends on the provider. For some providers, it works only once. Once you exchange the authorization code for access and refresh tokens, it will expire and you can't use it the second time.
I'm using an API that by default has it's access tokens expire 30 days after generating/refreshing. Is there a reason I shouldn't simply have a cron job that refreshes the token every week? I would rather set-and-forget rather than dynamically watch the expiration.
Ideally the token lifespan should be short. Coming back to the question you asked, there are ways you can refresh the token.
We can let the token expire after 30 days and when the next call
you make after token expiration you will get 401 Unauthorized. Once
you get that you will know that the token is expired and you can
refresh the token. Depending upon from where you are refreshing the
token matters, I mean server side or client side.
We do have the token hence the expiration time as well.By watching the expiration time and refresh the token just before it expires. But for that you
should be able to get the token and read all the properties
associated with that.
I recommend 1st option as you do not need to worry about reading the token for each and every client.Also if the token is expiring every 30 days, there is no need to refresh every week as that's unnecessary calls to the server asking for refreshed token even though it's valid.
1.I cannot understand the word "The token has not been used for six months." in Google OAuth 2 Authentication".
Why token expire when token has not been used for six month?
Actually Access Token has a life time not over 3600 seconds then It's will expired.
https://developers.google.com/accounts/docs/OAuth2?hl=pt-PT
2.There is currently a 25-token limit per Google user account.
That means Google can access only 25 peoples in one Application or One Account can access only 25 Application.
What they are saying is that Google's Authentication token lifetime is six months. I'm not sure why you think that it would be 3600 seconds. I've only quickly skimmed the OAuth 2.0 specification but I can't find anything that enforces a limit of 3600 seconds. There are examples of it being used but it is not required.
For each Google user account only 25 tokens will be issued. So yes essentially you would only be able to get access tokens for 25 applications for that one user account.
I need to understand if a refresh token from OAuth 2.0 for Google data expires or not if unused for more than 6 months?
At many places it is called out that it doesn't expire and at some places it is said that it will expire if unused for 6 months.
For example, in this question, the accepted answer says that it never expires but one of the comments suggest that it can expire if unused for 6 months.
This Google doc calls out that refresh token will never expire while this doc says it can expire if not used for 6 months.
Although I am using a safety check for the cases where refresh token is expired due to any reason, but still want to make sure I understand the behavior correctly.
You are correct the two pages Using OAuth 2.0 for Web Server Applications and Using OAuth 2.0 to Access Google APIs don't have the same information.
Using OAuth 2.0 to Access Google APIs is correct.
You should write your code to anticipate the possibility that a
granted token might no longer work. A token might stop working for one
of these reasons:
The user has revoked access.
The token has not
been used for six months.
The user account has exceeded a certain
number of token requests.
There is currently a 25-token limit per Google user account. If a user
account has 25 valid tokens, the next authentication request succeeds,
but quietly invalidates the oldest outstanding token without any
user-visible warning.
If you need to authorize multiple programs, machines, or devices, one
workaround is to limit the number of clients that you authorize per
user account to 15 or 20. If you are a Google Apps admin, you can
create additional admin users and use them to authorize some of the
clients.
A refresh token that hasn't been used for 6 months will expire.
I have sent in a bug report on the first URL. Google should clear up the discrepancy the next time they go though the documents.