1

We have a system in which the administrators of different box accounts give our app the permission to access their company accounts. In Box API documents, we see that the refresh tokens expires 

- Till used
- 60 days of inactivity

I want to know about this 2nd limit of 60 days of inactivity. Does this means 60 days of activity on our application part? or on the actual user(administrator) part.. What if the administrator does not log in to her account for 60 days(meanwhile our app is till running).. Will the refresh token expire in that case also?

auny
  • 1,920
  • 4
  • 20
  • 37

1 Answers1

0

Any given refresh token expires 60 days from when it was issued, in the same way that an access token expires ~1 hour from when it was issued. It is not a sliding window; the activity of your application or users has no effect.

Either the user will need to reauthorize your application if they haven't logged in for 60+ days or you'll need to write some background service to periodically refresh any access token(s) whose refresh token is nearing expiration.

John Hoerr
  • 7,955
  • 2
  • 30
  • 40
  • this means that it is bound to expire after 60 days? Isnt that a big deal breaker? How would the application run after 60 days? Getting the authentication from the user every 60 days is a major hurdle! – auny Dec 23 '14 at 14:20
  • You bet! The thinking is -- for 'apps' anyway -- that if a user doesn't use your app for that long then it's probably the right thing for them to need to authenticate again. For a service account such as these, we wrote for ourselves a little cron job that'll go through and auto-refresh tokens that are getting close to expiration. – John Hoerr Dec 23 '14 at 14:31
  • Now you are saying "if a user doesnot use your app for that long".. In the initial answer you said that it does not matter..What do you mean by 'using our app' here.. The user authenticated with us one, now our app talks to Box APIs for looking at the Box accounts of that. Am I missing some kind of interaction here? – auny Dec 23 '14 at 16:08
  • Sorry for the confusion. My point is this: a refresh token will not work if it's over 60 days old. Period. So either the user will need to reauthorize if they haven't logged in for 60+ days *or* you'll need to write some background service to periodically refresh access tokens whose refresh tokens are nearing expiration. – John Hoerr Dec 23 '14 at 17:27
  • Our application continuously refreshes the access token after every hour using the refresh token that is has.. With that, the refresh token is also refreshed since a new refresh token is issued everytime. If this keeps on happening(our app doing the refresh) all the time, does the 60 day limit hold? It should not because the refresh token is being renewed every hour also. – auny Dec 23 '14 at 17:40
  • 1
    The 60 day limit only applies to a given instance of a refresh token. As long as you keep auto-refreshing the access/refresh token pair -- once an hour, in your case -- you'll have no problems. – John Hoerr Dec 23 '14 at 17:48
  • Thanks a lot for the clarification. It would be awesome if you can update your initial answer to make this clarification so that its helpful to others – auny Dec 23 '14 at 18:03