I am working on a Google Drive App.
What is the lifetime of a Refresh Token? I have read that it lasts till until it is revoked. However, I also read somewhere that if your app is not used for 60 days, then the refresh token expires. Is this true ?
Also, who revokes the refresh token, is it the the user or in my case Google itself after a certain period of time?
I've not heard of a refresh token expiring after 60 days inactivity. Do you have a link that claims so?
The token can be revoke by the user or by your application.
I think, as per my study for the google drive file access using the refresh_token. The refresh token stays for around 6 months and then it we have to revoke it at that time when it gets expired. Google api's documents are nice and easy bit somehow lacks the way to use it.Just a thought, and once stuck got to search many place and less response to issues.
Related
We have built an app that asks for access to the YouTube API. We are not authorized yet, but are using it with our own accounts. We have the following problem:
While some of our Gmail accounts grant us access, some others fail even though on their third party security settings, you can see that they have granted us access. It seems that they have removed us from their lists, even though they haven't and we know that since these are our accounts.
Has anyone seen something like that?
Is getting our app authorized going to solve this?
Is there any other solution that you could offer?
Thanks for taking the time
my error message
status code: 400, response { data: { error: 'invalid_grant', error_description: 'Token has been expired or revoked.' } } }
Token has been expired or revoked.
Normally means that the refresh token you are using is no longer valid and you need to reauthenticate your user. The easiest way to test if i am right is to do just that force a reauth on the user.
causes for refresh token experation.
Refresh tokens while long lived they can expire for several reasons.
The user goes into their google account and revokes your applications access.
The refresh token hasn't been used in a while normally 3 -6 months google will automatically expire it.
You have reached the maximum number of outstanding refresh tokens for a user the oldest one will be expired.
It can also be related to the time on your system being out of sync with NTP (note i havent seen this error in years)
Let me try and explain number three a bit more. When a user authenticates your application you are given a refresh token. When the user authenticates your application again you are given an other refresh token. Both tokens will work as expected. You can continue this until you have up to 50 outstanding refresh tokens once you hit number 50 the first and oldest one will be expired. This is why it is important to always save new refresh tokens over the old one.
Application is intended to be used by the company for managment of intercompany documentation. These documents can contain valuable information, so it must be secure application. I am using Oauth2 with access and refresh tokens. Access token is valid for 15 minutes and refresh token is valid for 1 day.
I have not found any recommended lifetime for tokens.
Is 15mins for AT and 1 day for RT good? If yes, why these values are good enough OR are not good enough?
What is optimal lifetime for AT and RT for application which must be really secure.
Thanks a lot!
Gmail vs. bank accounts.
I can't tell where your business falls under. You should sit in in a meeting with your product team and explain what happens and let them decide. It's ok if it takes some try and error to get the right number.
But for Gmail the refresh token almost never expires. I can't think when was the last time I had to enter my credentials again.
For banks, the refresh token seems to be valid for only 10 minutes and if you background the bank app then you won’t be able to get a new refresh token and so you get signed out. Like my bank of America app. If I keep the app open then the app will continue to refresh the token.
And obviously refresh token expiry time should be more than your average user's session time.
I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long.
So I decided for my project:
access-token-lifetime: 1 day
refresh-token-lifetime: 30 days
But what is a typical lifetime of an authorization code?
Am I right that it should be really, really short?
Maybe like 1 hour or even only a few minutes?
I could not find any "best practice" for this..
All of this is standard but configurable i most identity / auth servers.
Authorization code
When the user consents an application accessing their data they are returned an authorization code. This code is only used its normally good for five minutes. anything lower than that would probably cause you issues with clock skew and there is really no reason IMO for it to be longer.
access token
Access tokens are returned after the authorization code has been exchanged. The access token. Access tokens are most often only good for 60 minutes.
Refresh tokens
refresh tokens are long lived tokens. The following are googles standard.
Refresh tokens are good for six months but this time is sliding.
If an refresh token has not been used for six months by an application then the access is revoked.
A user can also revoke the access as well at anytime.
depending upon the scope requested. Some refresh tokens expire after the user has changed their password
Again the above are just google standards. On the identity server I work on at work. I think the current settings is one month of non usage a refresh token expires.
Just found an answer on an other site:
The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds.
Source: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
It depends on the provider. For some providers, it works only once. Once you exchange the authorization code for access and refresh tokens, it will expire and you can't use it the second time.
I'm not sure if this is just exclusive to google API's and this is not plausible, but in the OAuth google developers playground, one can give in an access token and receive a refresh token which never expires. I for one have done this and implemented it in my code, but I was wondering, is there such a thing for an Instagram access token?
With the recent changes taking place in there api (2016 ->), I have not found any questions asking this as before I believe the token did not expire.
Thank you and sorry if I seem to be missing something obvious.
From the doc:
Access tokens may expire at any time in the future.
Even though our access tokens do not specify an expiration time, your app should handle the case that either the user revokes access, or Instagram expires the token after some period of time.
So in short, today, tokens do not expire, but they could in the future, so your app must handle the case if one day they expire.
I need to download my Delicious bookmarks to a non-web application without constant user interaction. I'm using Delicious's V2 API (using oAuth) but the problem is it seems their access tokens expire after one hour.
I don't have any issues with redirecting the user to Yahoo for a one time authorization, but what is described here (http://developer.yahoo.com/oauth/guide/oauth-refreshaccesstoken.html) means I would have to refresh my access tokens all the time before they expire when the user is away.
Is this really the way they've done their oAuth implementation?
You only need to refresh the access token when they come to use the application again, not while they're away. You can pass the previously expired token and get a new one in return.
Is that a problem? You should only need to make an additional server-side call to refresh the access token if it expires (as long as the authorization itself has not expired, which should last longer, and would need user interaction when it expired).