0

I'm working today on a partner environment related to Google Home.

Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).

My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.

My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.

Keycloak 3.2, Google homegraph action-on-google

Prisoner
  • 49,922
  • 7
  • 53
  • 105
Léo SEGRETAIN
  • 1
  • This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?) – Prisoner Dec 31 '18 at 14:19
  • I have the keycloak configuration, so i know that the SSO timeout has a max – Léo SEGRETAIN Jan 02 '19 at 06:22

2 Answers2

0

Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.

Prisoner
  • 49,922
  • 7
  • 53
  • 105
-1

I personnaly consider a good practice to revoke refresh tokens after an period of inactivity. This gives a pretty good user experience while keeping the database updated.

Fabien
  • 44
  • 6