4

Provided, I have a google app, a user authorized my app by using OAuth2 many times, and my app stored all refresh tokens generated from the authorization. how many valid refresh tokens my app can keep ? and how many access token generated by each refresh token are valid ?

Atvoid
  • 187
  • 1
  • 8

1 Answers1

0

I'm currently working with other API's using OAuth2 and whenever a user authorises your application to get information the old tokens become invalid. In my case if a user re-authorises I toss the old tokens and insert the new ones. The access token can, and in most cases have, a limited life-span. If an access token is expired you will receive an error and you need to request a new access token with your refreshtoken. In some cases you will also get a new refresh token additional to your access token to request the next accesstoken. See https://developers.google.com/identity/protocols/OAuth2 for google-specific information.

martwetzels
  • 437
  • 5
  • 19
  • how about one user authorized many tokens to my app, and I use all of them for different usage ? how many valid refresh token I can hold. – Atvoid Feb 29 '16 at 08:03
  • With OAuth2 a clientID will only have 1 active set of tokens (access+refresh). If you have multiple ClientID's from the API you can define different scopes but then the user would have to authorize with all different applications (your client id's) and I am assuming that is not your use-case. Traditionally you will have an access token with limited lifespan and a refresh token to obtain a new access token. The scope of your application, as it has been authorized by the user, is coupled to your ClientID. If the user re-authorises your application the old tokens will become invalid. – martwetzels Mar 01 '16 at 15:04
  • 1
    @martwetzels This doesn't appear to be 100% true, although it does depend on interpretation. I've been trying to find the answer for this, and all I can surmise is that when a client (not clientId) receives a new refresh_token, it MUST discard the old one. However, the RFC only says the server MAY revoke the old refresh token, not MUST. Therefore, if the client has shared the previous client_id/access_token/refresh_token combo with another client, it could be able to use the same client_id, but different access_token/refresh_token combo. It all depends on whether the server revoked the old... – fimbulvetr Sep 27 '16 at 17:49
  • It depends on the service providing the tokens. The old refresh tokens, in my experience, have become invalid so maintaining a copy of the old tokens would be wast of space. Some APIs, not googles, don't even offer refresh tokens. Why would a system hold multiple valid refresh tokens issued for the same client connected to the same ClientID? Can you elaborate your comment a bit? – martwetzels Sep 27 '16 at 17:57