How many refresh tokens Google API issues for a given client/user combination?

3
votes

I'm migrating an installed application to OAuth2 and came across this paragraph:

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

The app, as advised, is storing the refresh tokens but the user could request multiple refresh tokens by using it on multiple devices. I would like to know:

  • What's the client/user combination limit?

  • Which client_id refresh token gets revoked if the user goes over the "across all clients" limit?

  • A given refresh token will never expire unless the user goes over these limits or revokes it?

Thank you in advance for your help.

3
google-oauth
I'd love to know this too...we're having some authentication issues and don't know if it's because of this limit or not :sSomethingOn

3 Answers

2
votes

the limit is officially 25.

https://developers.google.com/accounts/docs/OAuth2#expiration

There is currently a 25-token limit per Google user account. 
If a user account has 25 valid tokens, the next authentication request succeeds, 
but quietly invalidates the oldest outstanding token 
without any user-visible warning.
1
votes

the actual number is not in public domain. it might be service specific and can change from time to time. ref:https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtAuthorization#helpme

from what i understand if the number can be as low as 25 then the moment a user logs in from 26th machine, the account at 1st machine is invalidated.

it would be a better idea to store the refresh tokens in a database over network.

0
votes

@bazik has the correct number, 25. BUT... there is nothing to stop this number changing in the future so don't rely on it

Additionally

Which client_id refresh token gets revoked if the user goes over the "across all clients" limit?

The oldest

A given refresh token will never expire unless the user goes over these limits or revokes it? Never say never. Your app should deal with the possibility by having access to a re-auth dialogue.

Are you sure you actually have a problem? I believe that the refresh token is unique for a clientid/userid/scope combination. Provided all of your devices have the same clientid, I suspect that you will be reissued an existing refresh token, rather than a new one. So you should never get anywhere near the 25 limit. Please do your own testing to confirm this.