In their "OAuth 2.0 Playground" tool, Google states the following:
Note: The OAuth Playground will automatically revoke refresh tokens after 24h. You can avoid this by specifying your own application OAuth credentials using the Configuration panel.
It's not clear what my "application OAuth credentials" are and where the Configuration panel is.
Where do I find these?
The Google Auth server issued Refresh tokens never expire — that's the whole point of the refresh tokens. The refresh token will expire (or I should say become unauthorized) when the user revokes access to your application.
There's no easy way of keeping a refresh token secure in the frontend layer on its own. Using the Authorization Code Flow with Proof Key for Code Exchange (PKCE) mitigates many risks inherent to the Implicit Flow.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
Revoke both the access token and the refresh token. To do this, set the <Token> type to accesstoken . The value of cascade can be either true (the default) or false . If you set it to true , then both the access token and the refresh token are revoked.
So in order to do this, when you are enabling the api access and getting your client id and client secret, you'll see an area to put in an Authorized redirect URL, put in https://developers.google.com/oauthplayground there. Then in the OAuth playground the configuration panel is the cog in the upper right, select that and select Use your own OAuth credentials, then fill out your client id and client secret. That should prevent the Refresh Token from being revoked.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With