How long can store and use OAuth v1, v2 token? - oauth

I'm building software which constantly pull data from spreadsheet user has provided access to.
I still live in era when api key was enough to pull as long as I wanted.
I'm a bit confused what are long live tokens. Are they endless?
Can I think about access token as old but goodie api key?
Do I need to "harass" user every 60 days to provide me with fresh oauth authorisation?

For OAuth 1.0, the access token lives forever. As long as your user does not revoke it, you can use it continuously.
However, for OAuth 2.0, the access token does expired. Once the access token expired, you will need to refresh it with the refresh token.
Here is more detail: https://developers.google.com/accounts/docs/OAuth2WebServer

Related

Is the any way to get Google Docs OAuth 2.0. access token, which will exists longer than 3600 sec?

Usual solution is to use https://developers.google.com/oauthplayground, but it doesn't give long lived token. I also tried this approach, but had "invalid_grant" response.
Using OAuth 2.0 to Access Google APIs provide the basic step on how to obtain tokens. From the 4th basic step it was stated:
4. Refresh the access token, if necessary.
Access tokens have limited lifetimes. If your application needs access
to a Google API beyond the lifetime of a single access token, it can
obtain a refresh token. A refresh token allows your application to
obtain new access tokens.
And a note that discuss how to limits was applied with these tokens:
Note: Save refresh tokens in secure long-term storage and continue to use them as long as they remain valid. Limits apply to the number
of refresh tokens that are issued per client-user combination, and per
user across all clients, and these limits are different. If your
application requests enough refresh tokens to go over one of the
limits, older refresh tokens stop working.

GoogleAPI oauth2 refresh token expires in 1 hour

I am using Google APIs in my application and the oauth2 refresh token expires after 1 hour. I am using this refresh token to execute a task which runs daily. I create the refresh token using the OAuth2 playground. Is there a way to extend the expiration time of a refresh token? (1 month)
I think that you have your terms confused here.
As per Oauth2 access tokens expire after one hour. Access tokens are used to request access of an api and return the data that you need. There is no way to extend the lifetime of an access token beyond one hour. You need to use a refresh token to request a new access token.
Refresh tokens are extremely long lived and do not normally expire. Refresh tokens are used to request a new access token. Refresh tokens for the most part do not expire if one is not used in six months though google will automatically expire it. Also if the user removes your access then the refresh token will also automatically expire.
If you are creating your refresh token using the Outh2 playground which is intended only for testing purposes it will also expire.
If you are using the oauth2 playground to create your refresh token then you should not be doing this you should be creating your own application to request the tokens.
As already explained the refresh tokens created using the OAuth 2.0 Playground are automatically revoked after a few hours because the playground is mainly for testing purposes. However you can configure the OAuth playground to use your own app credentials (use the 'wheely' icon top right). If you use your own app credentials the refresh token will not be revoked.
That said it looks like you want to run a background service that accesses Google APIs. For this you may want to use a Service Account if you are not accessing a specific user's data.

Refreshed Token could be revoked 50 times per account

I tried to add YouTube Video from the third party and After one day, I got the success in doing so. But While uploading a video the access token is required and in order to get that access token the user must be logged in. And the expiration time for that access token is 3600 seconds( 1 hr).
Now, There are some of my questions regarding this.
Is there anyway, by which I can refresh access token.
If some one has G Suite account, then Is there any special values for expiration time, or it remains the same?
As per the documentation, I can have maximum 50 tokens, So is there any alternative for it, So that I can get valid token after 50 requests.
To answer your question for number 1, you can check the documentation here.
Access tokens periodically expire. You can refresh an access token
without prompting the user for permission (including when the user is
not present) if you requested offline access to the scopes associated
with the token.
If you use a Google API Client Library, the client object refreshes the access token as needed as long as you configure that
object for offline access.
If you are not using a client library, you need to set the access_type HTTP query parameter to offline when redirecting the
user to Google's OAuth 2.0 server. In that case, Google's
authorization server returns a refresh token when you exchange an
authorization code for an access token. Then, if the access token
expires (or at any other time), you can use a refresh token to obtain
a new access token.
Requesting offline access is a requirement for any application that
needs to access a Google API when the user is not present. For
example, an app that performs backup services or executes actions at
predetermined times needs to be able to refresh its access token when
the user is not present. The default style of access is called online.
About the G Suite account, it was stated 24 Hours in the documentation. Note:
In this SO post answer, the function of Access Token and Refresh Token was discussed.
I am not sure if there are ways to alter the limits because of security reasons.
To clearly differentiate these two tokens and avoid getting mixed up,
here are their functions given in The OAuth 2.0 Authorization
Framework:
Access Tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The
client uses the access token to access the protected resources hosted
by the resource server.
Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server
and are used to obtain a new access token when the current access
token becomes invalid or expires, or to obtain additional access
tokens with identical or narrower scope.

Rails Koala Facebook & Twitter API

I have created a tool that allows me to do automatic social media marketing by posting to Twitter via API. I would now like to do that same thing and share the extended message/tweet to my personal FB profile as well as the FB page. I have figured out a way to post to FB using Koala, the only thing is that the token constantly expires. Is there a way where I can continuously be connected like I am with the Twitter API?
Any thoughts, ideas, or suggestions are appreciated.
Facebook has a long-lived access tokens:
User access tokens come in two forms: short-lived tokens and
long-lived tokens. Short-lived tokens usually have a lifetime of about
an hour or two, while long-lived tokens usually have a lifetime of
about 60 days.
As you can see, even user's long-lived token will expire eventually. So it's up to you to either build a small tool to notify you when a token is about to expire or not. But in all cases, this can be done with cURL pretty easily (I have no ruby-on-rails experience): https://developers.facebook.com/docs/facebook-login/access-tokens#extending
Start with a short-lived token generated on a client and ship it back to your server.
Use the user token, your app ID and app secret to make the following call from your server to Facebook's servers:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
PLEASE NOTE: that page access tokens generated from a long-lived user access tokens will NOT expire, see: https://developers.facebook.com/docs/facebook-login/access-tokens#extendingpagetokens
To get a longer-lived page access token, exchange the User access
token for a long-lived one, as above, and then request the Page token.
The resulting page access token will not have any expiry time.

What is the Youtube OAuth 2.0 user token validity period?

I read the documentation in the Youtube developers website it does not talk about any validity.
Does the OAuth 2.0 standards define any validity period or is the authorization token valid till the user revokes it manually ?
The OAuth spec defines that the token should expire shortly after its granted, so will it expire after I get the
access and refresh tokens ?
And can I use this access token for all future API requests or do I need to get a new token periodically ?
I'm assuming you are talking about the authorization code, you're mixing the terms a bit here.
From the OAuth 2.0 draft:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
After using it once for getting the access token, you can not use it again. You also don't need to retrieve an authorization code periodically. You do this only when you have no access token for a user, but want to request his data.
Your access token some time expires. You know when by either looking at the expires_in value that got send with it, or by doing a request to the API and getting an access token expired error back. Then you can use the refresh token to get a new access token without the user being involved.
Very useful step-by-step guide about how to get access and fresh tokens and save them for future use using YouTube OAuth API v3.
PHP server-side YouTube V3 OAuth API video upload guide.
The good thing is, you do not need to worry about the expiry of the tokens, as the script in this guide checks, saves, and updates the token in a txt file for future access.
{"access_token":"XXXXXXXXX","token_type":"Bearer", "expires_in":3600, "refresh_token":"XXXXXXX", "created":000000}
We use at http://presentationtube.com and it works fine with thousands of users.

Resources