1

I have a webapp which lets the user OAuth 2.0 to youtube & after exchanging the authorization code I can capture the access_token & refresh_token into my database .

Can these tokens be maliciously used later by me , say after 2 weeks , to delete the poor user's video using /yoube/v3/delete or some other operation like insert badly formed captions ..

& if this could be done isn't this a security breach cause the poor used who has accidentally consent ouath into my application & got his access_token & refresh_token & other info captureded by my back-end

So basically when someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything

If yes? what can the poor user do to unlink & how would the user even know that video's are getting deleted by someone else ?

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Rohit Kumar
  • 1,777
  • 2
  • 13
  • 26

1 Answers1

1

Access tokens are short lived tokens which will work for one hour after that time you will need to use the refresh token to request a new access token.

Your refresh token should not expire except.

  1. if it has not been used for six months.
  2. If a user authenticates your application they get a new refresh token, If they authenticate your application again then will get another refresh token. You can have up to 50 outstanding refresh tokens all will continue to work until you go over that number then the first one will expire.
  3. The user can also revoke your access though their account at any time.

Don't bother storing the access token just store the refresh token, and make sure that if your user authenticates your application again that you replace the refresh token in your database with the new one.

If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever.

Note: it can take a while to go through the verification process with the YouTube API start early.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • thanks for the reply @DamTo .... so I get the point accessToken have shortlives hence the refreshtoken...... So basically you are saying if someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything ? – Rohit Kumar Aug 16 '20 at 15:14
  • 1
    Im not 100% sure i understand that but. If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever. – Linda Lawton - DaImTo Aug 17 '20 at 06:10
  • yeah access_type=offline & I got my answer ...thankyou :)... – Rohit Kumar Aug 17 '20 at 06:48
  • 1
    could you update this piece of information in in your answer so that I can mark it correct. – Rohit Kumar Aug 17 '20 at 06:49
  • There you go. Remember what i said about verification. It can take a while. – Linda Lawton - DaImTo Aug 17 '20 at 06:56
  • 1
    @DaImTo: Sorry to intervene: only wanted to add that any user [may revoke](https://developers.google.com/identity/protocols/oauth2#expiration) at any time the access rights granted previously to any given app. – stvar Aug 19 '20 at 17:17