Reputation: 556
Oauth2: best practice to keep access_token fresh?
I'm creating an app that integrates with several 3rd-party Oauth2 providers (think Zapier). The user adds a connection through Oauth2 which gives me a refresh token and access token and which I'm storing in a database.
What is the best practice to keep the access token fresh? Should I be running an async job (e.g. cron) that refreshes the access token every 30 minutes for every connection? If the user doesn't use my app for several days I'd like to still be able to access his 3rd-party data without having him to go through the Oauth2 consent.
Upvotes: 6
Views: 5676
Answers (2)
Reputation: 1143
The Oauth website has a pretty informative answer
The “expires_in” value is the number of seconds that the access token will be valid. It’s up to the service you’re using to decide how long access tokens will be valid, and may depend on the application or the organization’s own policies. You could use this timestamp to preemptively refresh your access tokens instead of waiting for a request with an expired token to fail. Some people like to get a new access token shortly before the current one will expire in order to save an HTTP request of an API call failing. While that is a perfectly fine optimization, it doesn’t stop you from still needing to handle the case where an API call fails if an access token expires before the expected time. Access tokens can expire for many reasons, such as the user revoking an app, or if the authorization server expires all tokens when a user changes their password.
If you make an API request and the token has expired already, you’ll get back a response indicating as such. You can check for this specific error message, and then refresh the token and try the request again.
TLDR: I would only refresh the token when a request fails
Upvotes: 1
Reputation: 13059
What is the best practice to keep the access token fresh? Should I be running an async job (e.g. cron) that refreshes the access token every 30 minutes for every connection?
Not necessarily. Wait till your API call fails. Check for a proper response such as "401 Unauthorized" which hints your access token is invalidated/expired. Once this happens use refresh token to renew the access token. If refresh token fails, then you have to fall back again and ask user to login again.
A refresh token can have a varying life time. It can be from few days to few months. For example check Google's explanation mentioning long lived refresh tokens and possible expiry of them. Also check how Azure AD mention about configurations related to token lifetimes.
So user not using app for few days (ex:- leave it and return after weekend) can be handled through proper validity configurations of tokens lifetimes. But be mindful about threats that could occur from long-lived, unmanaged tokens (ex:- due to token stealing).
Upvotes: 6
Related Questions
- Should access tokens be refreshed automatically or manually?
- Lifetime of access and refresh tokens
- Should I reuse OAuth 2.0 access tokens?
- Should we wait till the access token expire before we get refresh token?
- OAuth2: Update refresh token along with the access token or not?
- Proper paradigm for refreshing OAuth2 access token
- any best practices for storing and accessing oAuth access_token?
- Best practices for handling access tokens and scopes for OAuth2 implementation?
- How to persist OAuth 2 refresh tokens
- Guidance on retaining OAuth access tokens