What is the validity for new refresh token retrieved through refresh token?

Question

I recently integrated OneNote API in my application. The question is: When I refresh my access token(as one access token lasts for only an hour) a new refresh token is returned from the API.

As I read somewhere that a refresh token is good for an year, does the new refresh token's validity starts from the time of generation(after refreshing token)?

Reference link 1

Reference link 2

Any help is appreciated.

score 0 · Answer 1 · answered Oct 27 '15 at 11:48

0

It is up to the OneNote Authorization Server that issues the tokens to set the expiry for the refresh token. It is also optional by spec to renew the refresh token at the time that the original one is used. If done so, it is good security practice to invalidate the old one because otherwise it would not make much sense to issue a new one in the first place. So yes, the new refresh token's validity should start at the time of generation.

answered Oct 27 '15 at 11:48

Hans Z.

50,496
12
102
115

Are you sure?Is there any evidence for that? – Amey Khadatkar Oct 27 '15 at 11:57
I didn't find any evidence of the validity extension for the refresh token. It might happen that the new refresh token may have lesser expiration period. Your answer seems to be just an assumption – Amey Khadatkar Oct 28 '15 at 05:35

score 0 · Answer 2 · answered Oct 27 '15 at 21:02

0

MSA refresh tokens are good for a year and O365 (azure AD) tokens are good for 90 days.

answered Oct 27 '15 at 21:02

Sharad Sharma

62
2

Its not a office 365 app. Its a onenote app. I don't need to use azure AD for this. – Amey Khadatkar Oct 28 '15 at 05:31

What is the validity for new refresh token retrieved through refresh token?

2 Answers2