CODEWITHSUNDEEP
c#oauthdotnetopenauth
Elad Benda
Elad Benda

Reputation: 36654

Expiration date of accessToken in oAuth protocol

I'm using dotNetOpenAuth to authorise against Google oAuth provider.

I'm a bit confused with the difference between the following:

consumerToken, consumerSecret, accessToken

From the Provider I get the accessToken for some user. Can keep I it forever? Or does it expires?

How can the code enable authorization without redirecting the user to the "allow access to my google data page" ?

Upvotes: 1

Views: 1610

Answers (3)

Andrew Arnott
Andrew Arnott

Reputation: 81791

OAuth 1.0, which you're using, does not include a provision for predicting when an access token will expire, so you'll have to read Google's documentation for OAuth 1.0 access tokens to see how long they last.

How can the code enable authorization without redirecting the user to the "allow access to my google data page" ?

You don't. If you could do that, that would be a huge security leak. The user must authorize your app to access his/her data. Once you've obtained authorization once however, by storing the access token (and its secret) that you obtained you should be able to use it in the future and avoid the user authorization step (until the user revokes the token or it otherwise expires).

Upvotes: 2

Zepplock
Zepplock

Reputation: 29135

Never expect have any expectations about lifespan of accessToken. At any time you can be given 403 HTTP error which should trigger on of the following in your app:

  • If you have a refreshToken, get a new accessToken without resource owner (end user) interaction
  • If not, ask user again to authorize your application

Upvotes: 5

Alexei Levenkov
Alexei Levenkov

Reputation: 100537

"AccessToken" in OAuth normally have relatively short expiration (i.e. in Facebook and Messenger case less than a day). If implementation supports it then "refreshToken" is the one you can keep longer (weeks/months range depending on provider).

According to the doc ( https://developers.google.com/accounts/docs/OAuth2 ) Google supports refresh tokens, so if you want to store token - it is the one.

Note that both accessToken and refreshToken represent very sensitive information (comparable to clear text user name and password), so please check out provider's recommendations and requirements on storing these information.

Upvotes: 0

Related Questions