Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth v2 (Google API) expiry Access Token

I am building an integration component using a graphical framework who has a pre-build OAuth2 connector. This framework required following fields for OAuth v2:

  • Grant type
  • Scope
  • Auth Server URL
  • Client Id
  • Client Secret
  • Access Token
  • Refresh token

I need to get data from Google Analytics API, so I went to Google Dev Console (https://console.developers.google.com/project/927890000889/apiui/credential). I generated a 'Client ID for web application'. From the parameter of this object I was able to fill some of the parameters above

  • Grant type : 'authorisation_code'
  • Client Id : 'RANDOMCHARSam5o37nsiu730d.apps.googleusercontent.com'
  • Client Secret : 'RANDOMCHARSiSwBA5OH5qYLUa'

Then using Google Oauth Playground (https://developers.google.com/oauthplayground) I was able to fill the missing bits

  • Scope : 'https://www.googleapis.com/oauth/analytics'
  • Auth Server URL : 'https://accounts.google.com/o/oauth2/auth'
  • Access Token : 'RANDOMCHARSQAQv4HRF5-JsQEzUS61lj2YremyCocv0PQ4-agpzJe'
  • Refresh token : 'RANDOMCHARSLPJnL4FPaDc2KP6V8kCzjjHO2Kj4Np_3X0'

Everything works fine, I am authorised to access and I get data from Google Analytics, but just for a while, after few minutes if I retry I receive an authorisation failure error. I believe that the problem is related to the expiration of the Access Token, but I don't know how to solve that. Worth to mention that this activity it's batch (no human interaction), so nobody can request a new access token. The integration framework is not extensible (I cannot write code to renew the code) so I believe there's a way to get a access token that never expire or some other mechanism to achieve the same result.

Bottom line, I am not sure if I approached the requirement correctly since the beginning (Client ID for web application).

Any help is much appreciated, Giovanni

like image 730
gxvigo Avatar asked Sep 25 '14 22:09

gxvigo


People also ask

Do Google OAuth tokens expire?

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days. There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID.

What is the expiry time of Google access token?

The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.

How long does oauth2 token last?

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.


2 Answers

Access tokens typically expire after 60 minutes. If you have a refresh token you can use the refresh token to get a new (valid) access token.

This doc explains how to do that:
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh

To answer your overarching question, yes, you are approaching everything correctly. All you need to do is handle the case where the access token has expired by refreshing it. Also, when you originally requested the access token the response should tell you how long it's valid for, so you should only refresh that token if it's expired.

like image 76
Philip Walton Avatar answered Oct 08 '22 09:10

Philip Walton


You can use Refresh tokens to make it more long used. The Google Auth server issued Refresh tokens never expire, A token might stop working for one of these reasons: The user has revoked access. The token has not been used for six months. The user changed passwords and the token contains Gmail scopes. The user account has exceeded a certain number of token requests. There is currently a limit of 50 refresh tokens per user account per client.If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

from: https://developers.google.com/identity/protocols/OAuth2

like image 6
Haryono Avatar answered Oct 08 '22 07:10

Haryono