Reputation: 70
Google API OAuth2 refresh tokens abruptly revoked
I've been using the Google API to update one of my Chrome plugins on a weekly basis. This has now happened 3 or 4 times now: The refresh token I acquire will work properly for up to two weeks (only being used once per week), then the third week, returning an error saying that my token has been expired or revoked.
Given that I'm the only user with access to these tokens, I know that there isn't any spamming, and I know that nobody would be authorized to revoke the tokens on my end.
Please advise. Thanks!
Upvotes: 2
Views: 1457
Answers (2)
Reputation: 76
I have recently worked with Google Ads API and Shopping Content API and experienced detailed behaviour of API authentication mechanics.
What i can tell for sure regarding authentication is the the following:
- An Access-Token always have a life time of 60min. and then expires
- An refresh-Token makes it easier to obtain a new Access-Token, since no additional verification is needed
- The lifetime of a Refresh-Token varies
- it can be a 6 month or more (when the related application publishing status is released)
- or just 1 week (when the related application publishing status is testing)
You can find detailed information regarding Token Expiration on the Google API Documentation https://developers.google.com/identity/protocols/oauth2#expiration
Also information regarding publishing status of your API application Token has expired or revoked - Google Ads
Upvotes: 1
Reputation: 116958
There are serval reasons why an access token can expire.
- the user revoked your access.
- depending upon which scope you are using if the user changes their password it can revoke all out standing refresh tokens (mostly gmail I think)
- If your application is still in testing phase refresh tokens only last for two weeks you will need to move your application to production and go though the verification process. (this appears to have been a stealth change i can find no information on it)
- you can have a max of 50 outstanding refresh tokens for a users account, if the user is logging in multiple times and you get a new refresh token each time make sure you are always using the newest.
Your application should always be set to request access of the user again in the event that the refresh token has expired.
Upvotes: 1
Related Questions
- 'Token has been expired or revoked' - Google OAuth2 Refresh token gets expired in a few days
- Google token refresh returns "Token has been expired or revoked."
- Since couple of days Refresh token has been automatically expired
- Google OAuth2 refresh expires & does not renew
- Google API OAuth2 - Get refresh token from Authorization token
- How to stop Google from revoking my refresh token?
- Google Refresh Tokens Lifetime
- Google API: refresh tokens suddenly stopped working ("invalid_grant")
- OAuth 2.0 access token has expired, and a refresh token is not available
- Why did Google invalidate all OAuth2 access tokens today?