Podio Oauth - refresh token lifespan

Question

I am currently working on Podio integration and I have stumbled upon articles which do not give clear answer whether refresh_token expire on its own and what is the exact flow of obtaining new refresh token in such case.

The articles:

Podio Refresh token Expiry - it does not expire (answer from someone who has Podio in user name, quite recent)

https://help.podio.com/hc/en-us/community/posts/206669587-Get-new-refresh-token - it expires, you get it as a part of response but not rly? There is some discussion with no conclusion

I am asking this because I worked with a lot of services and OAuth implementations, but its the first time that refresh token is actually getting invalidated. So if 28 days pass then user has to reauthenticate? Or just a token is invalidated but "grant" still exists? I have to say it's quite confusing, because I'm used to approach grant == refresh token, but I understand its withih the OAuth specs. Also we just want to store refresh token in db. I'd love to test it, but I don't want to wait 28 days.

The docs do not state clearly what is the lifespan of refresh token.

I'd love someone from Podio to give clear answer about this. Do refresh tokens expire, is it only when there is total inactivity (no api calls) or just fixed amount, and in what cases (inactivity or time passed), what is the exact flow of getting refresh token and does it require user reauthentication?

Brandon Tweed · Accepted Answer · 2017-01-19T21:35:16.773

There are two parts at play here, the access token and the refresh token.

The access token expires after the interval specified via the expires_in attribute.

The refresh token can expire if unused for longer than 28 days. Each time you use the refresh token to request a new access token, the timer resets and you have another 28 days before the refresh token expires. If you regularly obtain new access tokens within the 28-day period you can hypothetically use the same refresh token indefinitely.

Example HTTP request to obtain an initial access token and refresh token (values redacted with asterisks):

POST /oauth/token HTTP/1.1
Host: podio.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=password&username=******&password=******&client_id=******&client_secret=******

Response Body:

{
  "access_token": "******9c2",
  "expires_in": 28800,
  "token_type": "bearer",
  "scope": "global:all",
  "ref": {
    "type": "user",
    "id": ******
  },
  "refresh_token": "******04a"
}

Example request to obtain a new access token (uses the same refresh token):

Note: Any extra whitespace characters in the request body can cause issues. This is an issue I bumped into as I was experimenting.

Request:

POST /oauth/token HTTP/1.1
Host: api.podio.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=refresh_token&client_id=******&client_secret=******&refresh_token=******04a

Response Body:

{
  "access_token": "******676",
  "expires_in": 28800,
  "token_type": "bearer",
  "scope": "global:all",
  "ref": {
    "type": "user",
    "id": ******
  },
  "refresh_token": "******04a"
}

It's important to note that the value of the refresh token doesn't change and can be used repeatedly to obtain new access tokens.

TL;DR - If you don't use the refresh token it expires after 28 days. Whenever you use the refresh token to obtain a new access token the expiration timer for the refresh token resets.

great answer, I suggest including the 28 days info + extending lifespan after each use in your docs :) — Raidmaster, Jan 20 '17 at 08:46

Podio Oauth - refresh token lifespan

1 Answers1