4

My application uses a Google refresh token (to get access_token from Google). I have two questions here:

  1. I know Google refresh token does not expire for 6 months (see the doc here); say I got a refresh token refresh_token_old at 5:00pm on Jan 1st , and my application requests another refresh token refresh_token_new from Google at 5:30pm on Jan 1st (i.e., just 30 minute later), will the old refresh token still be valid (apparently the old one has not been expired)? -- basically, I am asking if the newly issued refresh_token purges the validity of the old refresh_token;
  2. For the access token, access_token_a, which I got from Google using refresh_token_old, is it still valid after my app requested the new fresh token refresh_token_new? -- basically, I am asking if the new refresh_token purges the validity of the access_token obtained by an old refresh_token even if that access_token has not expired;
chen
  • 4,302
  • 6
  • 41
  • 70

1 Answers1

5
  • A refresh token will expire if it has not been used for six months. A soon as it is used the six month timer will reset.
  • If you request a refresh token, your application then requests another refresh token you technically have two outstanding refresh tokens, both will work. You can keep doing this and have up to fifty out standing refresh tokens as soon as you hit that point the first one will expire.
  • any access token created with any refresh token is good for an hour. Even if the refresh token that created it has expired during that hour. Once an access tokens is created it will work for an hour not matter what.
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Thanks for crisp answer, very helpful! How can I make all outstanding refresh_token invalide (say, I suspect someone gets hold on it)? – chen Dec 01 '20 at 05:48
  • If you want to revoke them all have the user revoke your permission on their account. Or make a call to the Revoke endpoint. Unless someone also got a hold of your client id and client secret and have access to the endpoint you have configured in Google Developer console they really cant do anything with the refresh token though. – Linda Lawton - DaImTo Dec 01 '20 at 07:58
  • @DaImTo, "Once an access tokens is created it will work for an hour not matter what". is that the OAuth2.0 spec or just for Google only? I want to know if an old access token that is not expired is still valid after calling refresh-token to get a new access token. – Orionpax Aug 17 '22 at 08:42
  • Access tokens expiring after an hour is OAuth standard [expires_in](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.2.2). No an access token is self contained. It will expire and then no longer work. The refresh token is used to request a new access token. – Linda Lawton - DaImTo Aug 17 '22 at 08:57
  • 1
    Thanks @DalmTo, been looking for answer that confirms your first point. – VukNovakovic Dec 15 '22 at 13:30