Menu
I am trying to use gmail smtp using oauth 2.0. I have used aspose.dll for requesting access token using authorization url. I do not get refresh token when i get the response.so there is no way to request new access token if previous is expired. So i thought of getting access token every-time my app requires . And if authorization code gets expired then i can not follow this approach.
does authorization code for gmail oauth2 ever expires??
566
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days. There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID.
By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.
The OAuth 2.0 standard, RFC 6749, defines the expires_in field as the number of seconds to expiration: expires_in: RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
When a token has expired or has been revoked, it can no longer be used to authenticate Git and API requests. It is not possible to restore an expired or revoked token, you or the application will need to create a new token. This article explains the possible reasons your GitHub token might be revoked or expire.
Google's OAuth 2.0 does provide Refresh Tokens!!! This link here explains the various flows and talks about apps obtaining both access and an optional refresh token for all scenarios.
Authorization code DOES expire! That's what OAuth protocol dictates. I cannot find an exact time period to quote here for Google, but I do know that for Facebook), the authorization code expires in 10 minutes (See the december 5 change in the link.).
The Refresh Token has been made available for use cases like yours. If the authorization code were to persist, what difference would remain between a Refresh token and Authorization code.
I'd suggest you look up the documentation of the Aspose libraries you are using.
PS - Authorization code/access tokens/refresh tokens are all issued by a central Google Authorization server! So, we're talking about Google's Authorization code which, as I said, does expire.
Good luck!
EDIT - Adding more info for you
The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.
Source - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31
Section - 4.1.2
143
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
