How Long can an OAuth2 Access Token be Refreshed?
The ability to refresh an OAuth2 access token using a refresh token depends on the following factors:
- The Expiration of the Refresh Token:
- Refresh tokens typically have longer lifetimes than access tokens, and in some cases, they may not expire at all (until revoked). However, some authorization servers issue refresh tokens with expiration times. The expiration time can vary depending on the authorization server’s policies.
- Authorization Server Policies:
- Different OAuth2 providers (such as Google, Microsoft, etc.) implement their own rules regarding how long a refresh token can be used.
- Some providers may issue refresh tokens that are valid indefinitely as long as they are used regularly. Others might revoke refresh tokens after a certain period or if not used for a long time (inactivity).
- Token Revocation:
- A refresh token can be revoked by the authorization server at any time. This may happen if:
- The user explicitly revokes the authorization (e.g., by removing the app’s permissions).
- The application or user account is compromised.
- The refresh token is deemed inactive for a certain period (inactivity policies).
- Limits on Number of Refreshes:
- Some OAuth2 providers impose a limit on the number of times a refresh token can be used to generate a new access token. For example, Google allows refresh tokens to be used indefinitely until revoked but may issue a new refresh token upon each request.
- Application Type:
- Public clients (e.g., mobile or single-page applications) may have different refresh token policies compared to confidential clients (e.g., server-side applications). For public clients, the refresh token may have stricter expiration rules.
- A refresh token can be revoked by the authorization server at any time. This may happen if:
Typical Refresh Token Lifetimes by Provider:
Here are some examples of OAuth2 providers and their refresh token policies:
- Google: Refresh tokens are valid indefinitely unless they are revoked, but if a user hasn’t used the application for six months, the refresh token might expire.
- Microsoft (Azure AD): Refresh tokens expire by default after 90 days of inactivity but are refreshed if they are used regularly. If a refresh token is used within its validity period, the server typically issues a new refresh token.
- Facebook: The refresh token (called “long-lived access token”) is valid for 60 days and must be refreshed before expiration.
- GitHub: Refresh tokens expire after 8 hours, and the user must re-authenticate.
Refresh Token Expiration Considerations:
- Inactivity Period: Some authorization servers set policies that invalidate refresh tokens if they are not used for a certain period. If the refresh token is unused for too long, it may expire.
- Refresh Token Rotation: Some OAuth2 providers implement refresh token rotation, where every time you use a refresh token to get a new access token, a new refresh token is issued, and the old refresh token is invalidated.
- Revocation: Users or administrators may manually revoke the refresh token at any time, for instance, by disconnecting the app from their account.
Example Response with Refresh Token Expiration (OAuth2 Token Response):
{ "access_token": "new-access-token", "expires_in": 3600, // 1 hour (time in seconds) "refresh_token": "new-refresh-token", "token_type": "Bearer" }
In this case:
- “access_token”: The new access token that is valid for 1 hour (3600 seconds).
- “refresh_token”: A new refresh token (if refresh token rotation is used).
admin
0
Tags :