Menu
I have read the PODIO documentation. I have in particular contemplated the following statement concerning use of the refresh_token:
This request returns the same data as above, and you can continue to do this over and over again, to keep your application authenticated without having to ask the user to re-authenticate.
Does this mean that the refresh_token will be indefinitely valid or does it expire:
access_token EDIT: Please see this PODIO Thread which asks the same questions but does not seem to give any conclusive answers about the PODIO implementation of the Oauth2.0 protocol.
404
Once they expire, client applications can use a refresh token to "refresh" the access token. That is, a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.
Refresh Token Rotation issues a refresh token that expires after a preset lifetime. After expiration, the user gets a new refresh token in the same family, or refresh tokens that share a family ID, or a new access token/refresh token pair. To learn more, read Refresh Token Rotation.
The Google Auth server issued Refresh tokens never expire — that's the whole point of the refresh tokens. The refresh token will expire (or I should say become unauthorized) when the user revokes access to your application.
The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.
The answer of your question:
Does this mean that the refresh_token will be indefinitely valid or does it expire?
...can be concluded from the section 1.5 and section 10.4 of the OAuth 2.0 specification.
Section 1.5 Introduction of refresh_token states:
Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner)
section 10.4 Security Considerations for refresh_token states:
The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.
It can be concluded that if the authorization_server is able to verify the binding between a refresh_token and the client to whom it was issued then refresh_token can be used to obtain multiple access_token and will never expire. else the authorization sever will invalidate the old refresh_token and generate new refresh_token with every access token refresh response.
146
Refresh token will eventually expire or become invalid and you should be ready for it.
Two scenarios:
User facing service (e.g.: authorization grant flow) - maybe ok to ignore the problem, because people are good in turning it off and on again, a.k.a refresh the page :-)
Server side long running service (e.g.: client credentials flow) - you should be ready for the situation when neither of access or refresh token works and re-initiate the authentication from scratch.
Refresh tokens may or may not have expiry time, depending on your provider they expire never, not as long as they're recently used, in months or in hours. Relying on the fact that you will receive new refresh token with refreshed access token may be tricky.
Timeout is not the only way in which token may become invalid. Consider following scenarios described in oauth0:
While refresh tokens are often long-lived, the authorization server can invalidate them. Some of the reasons a refresh token may no longer be valid include:
- the authorization server has revoked the refresh token
- the user has revoked their consent for authorization
- the refresh token has expired
- the authentication policy for the resource has changed (e.g., originally the resource only used usernames and passwords, but now it requires MFA)
To add to that the tokens (access, refresh) can be stored in non-persistent storage in authentication provider service so if the service is restarted (crash, update) your tokens may be gone.
If you are writing long-running service which needs to be reliable don't rely on being able to refresh granted authentication forever through refresh tokens.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
