CODEWITHSUNDEEP
oauth-2.0google-oauthrefresh-token
Jeff
Jeff

Reputation: 1879

Google OAuth 2.0: refresh_token expiry, how many days?

I posted the following nearly 3 years ago Google OAuth 2.0: Refresh access_token and New refresh_token

I need an update

  1. do Google refresh_tokens expire? If they do, then how many days are their expiry?
  2. If Google refresh_tokens do expire, then do they expire differently per Google service?
  3. Some implementations of OAuth 2.0 authentication allow requests for refresh_token expiry as access_token expiry is provided by new access_token. Does Google OAuth 2.0 provide the same?

Thank you

Upvotes: 1

Views: 1161

Answers (2)

Jeff
Jeff

Reputation: 1879

Google WebApp

published is Testing, Google unverified, refresh_token expire is 7 days and limited to 100 access_token refreshes.

published is Produnction, Google verified, refresh_token expire is 180 days and unlimited access_token refreshes.

Upvotes: 0

Linda Lawton - DaImTo
Linda Lawton - DaImTo

Reputation: 116868

Do Google refresh_tokens expire? If they do, then how many days are their expiry?

You should check Refresh token

app set to production.

If your app is set to production.

enter image description here

Then the following will cause a refresh token to expire

  1. The user has revoked your app's access.
  2. The refresh token has not been used for six months.
  3. The user changed passwords and the refresh token contains Gmail scopes.
  4. The user account has exceeded a maximum number of granted (live) refresh tokens.
  5. The user belongs to a Google Cloud Platform organization that has session control policies in effect.

Note for nr 4:

There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning.

app set to test.

If your app is in testing phase. Then the following is true.

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

  1. If Google refresh_tokens do expire, then do they expire differently per Google service?

Not sure what you mean by different service, this should be across the board.

  1. Some implementations of OAuth 2.0 authentication allow requests for refresh_token expiry as access_token expiry is provided by new access_token. Does Google OAuth 2.0 provide the same?

Not sure what you mean here. If your refresh token has expire you will need to request authorizing of the user again. There is no other way to get a new refresh token.

Upvotes: 2

Related Questions