I am building an integration component using a graphical framework who has a pre-build OAuth2 connector. This framework required following fields for OAuth v2:
I need to get data from Google Analytics API, so I went to Google Dev Console (https://console.developers.google.com/project/927890000889/apiui/credential). I generated a 'Client ID for web application'. From the parameter of this object I was able to fill some of the parameters above
Then using Google Oauth Playground (https://developers.google.com/oauthplayground) I was able to fill the missing bits
Everything works fine, I am authorised to access and I get data from Google Analytics, but just for a while, after few minutes if I retry I receive an authorisation failure error. I believe that the problem is related to the expiration of the Access Token, but I don't know how to solve that. Worth to mention that this activity it's batch (no human interaction), so nobody can request a new access token. The integration framework is not extensible (I cannot write code to renew the code) so I believe there's a way to get a access token that never expire or some other mechanism to achieve the same result.
Bottom line, I am not sure if I approached the requirement correctly since the beginning (Client ID for web application).
Any help is much appreciated, Giovanni
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days. There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.
Access tokens typically expire after 60 minutes. If you have a refresh token you can use the refresh token to get a new (valid) access token.
This doc explains how to do that:
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
To answer your overarching question, yes, you are approaching everything correctly. All you need to do is handle the case where the access token has expired by refreshing it. Also, when you originally requested the access token the response should tell you how long it's valid for, so you should only refresh that token if it's expired.
You can use Refresh tokens to make it more long used. The Google Auth server issued Refresh tokens never expire, A token might stop working for one of these reasons: The user has revoked access. The token has not been used for six months. The user changed passwords and the token contains Gmail scopes. The user account has exceeded a certain number of token requests. There is currently a limit of 50 refresh tokens per user account per client.If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.
from: https://developers.google.com/identity/protocols/OAuth2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With