2

There is an expiration time (in seconds) for the access token, but does the refresh token also has an expiration time?

{
  "access_token": "eyJhbGciOiJIUzI1NiIsImtpZCI6Imp3dF9zeW1tZXRyaWNfa2V5In0.eyJ1c2VyaWQiOiJTV042SjVUQUVSQUIiLCJleHAiOjE0OTMzODc1NDEsInNjb3BlIjpbImRhdGE6d3JpdGUiLCJkYXRhOmNyZWF0ZSIsImRhdGE6cmVhZCIsImJ1Y2tldDpyZWFkIiwiYnVja2V0OmNyZWF0ZSJdLCJjbGllbnRfaWQiOiJVc1pEVUJoQUlzbHNBa0g2emtBaU02UWlXWU5reElNbyIsImdyYW50X2lkIjoic2tmNmR3OGFzbjl5eGM4RG5MM0ZYemVsZkhwTG5LN3IiLCJhdWQiOiJodHRwczovL2F1dG9kZXNrLmNvbS9hdWQvand0ZXhwNjAiLCJqdGkiOiJ3V2tHYXY0djhRcHU3emlHV0R0eXZRR3J3MklEVU1FZFRRNWZlaGtlbFVnbnhDa2RZQW5Gakp4V09ldHNscUcxIn0.r2Tk3L6fy10pr5PRIFx9jp6cNB0qXMx0j0v0R47SsgQ",
  "refresh_token": "Qz5azGOgskSE9wFhIn2NyzA7JxQkkhjtmCK8nLn10U",
  "token_type": "Bearer",
  "expires_in": 3599
}
janfitz
  • 1,183
  • 12
  • 21
PaulMS
  • 21
  • 5

1 Answers1

2

Refresh tokens can expire but it depends upon the way the authentication server is implemented when they will expire. You should be able to safely assume hat a refresh token is extremely long lived.

Refresh tokens carry the information necessary to get a new access token. In other words, whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time. Refresh tokens can also expire but are rather long-lived. Refresh tokens are usually subject to strict storage requirements to ensure they are not leaked. They can also be blacklisted by the authorization server.

I was not able to find any information on autodesk site as to when they expire refresh tokens. Normally the user who authenticated you has the power to revoke the authentication and some systems expire tokens which have not been used in six months.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • 1
    @DalmTo is right - the expiring for the refresh token is extremely long, it only expires once you use it, or the user revoke access to your app. – cyrille Apr 28 '17 at 14:07
  • 1
    A refreshToken should not expire when used it can be used any number of times to gain a new access token – Linda Lawton - DaImTo Apr 28 '17 at 14:08
  • @DalmTo - well in the case of Forge it does - when you use it an new accessToken and a new refreshToken will be issued. – cyrille Apr 29 '17 at 09:05
  • I have never seen that it may depend on how the authentication server is implemented it's not part of the rfc for Oauth – Linda Lawton - DaImTo Apr 29 '17 at 09:10
  • @cyrille extremely long, meaning? 1 week? 1 month? I suppose I can store it and use it (and replace it with the new one when using it), so that the user doesn't have to log in too often. – PaulMS May 02 '17 at 07:20
  • @PaulMS it depends upon how autoDesk has it implemented i was unable to find any information on their site. Which i would take to mean that they don't expire it, however I suggest you contact them to be sure. Either way you should implement a check that if it fails that you prompt your user for reauthentication. – Linda Lawton - DaImTo May 02 '17 at 07:23
  • 1
    Thanks DaImTo, the check it already implemented. I was asking @cyrille because he is Autodesk :) – PaulMS May 02 '17 at 12:41
  • 3
    @PaulMS, today the expire time for the refresh-token is set for 15 days – cyrille May 04 '17 at 06:36
  • I just checked in expire time was 1 hour. – David Jun 06 '23 at 15:42
  • Access tokens expire in one hour. Refresh tokens expire in 7 days if the app is still in testing. – Linda Lawton - DaImTo Jun 06 '23 at 16:04