Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
The ‘flow’ for OAuth2, involves getting the user to say ‘yes this is OK’. The token that comes back is temporary.
But I’m trying to create a unattended service. Will the refresh token always work? I get the feeling that it too is going expire.
This depends on who is implementing OAuth2. In the description of the refresh token, the expiry is not discussed as part of the specification. The spec later goes on to state somewhat ambiguously that a value error of
invalid_grantcan be returned if:This would seem to imply that it is possible for a refresh token to expire.
The document also mentions that it is possible to exchange "credentials with a long-lived access token or refresh token", thus grouping them into the same expiry class.
The latest version of the spec can be found at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2
As for the Google specific implementation
The refresh token will be valid for all time, with the only exception coming when the user revokes that permission.
For Google OAuth2, a user can revoke permission either through a web GUI or using an OAuth revoke endpoint.