Google OAuth2 Refresh_token expires when Access_token does

5
votes

According to https://groups.google.com/forum/#!forum/oauth2-dev discussion is now here.

No matter how much reading I do, I can't get my head around how google OAuth2 tokens work. Reading the docs and many other places suggest that a refresh_token doesn't expire, and is used once the access_token expires. See the official docs at https://developers.google.com/accounts/docs/OAuth2WebServer#refresh

However, in practice it appears to work as describe by Paul (Unable to refresh token after expiration) that the refresh token expires when the access token expires.

Can a Google Engineer please confirm what the correct behavior should be as this appears to be a case of behavior and documentation not matching.

It also makes the refresh token useless.

1
google-oauth

1 Answers

7
votes

If you request access_type=offline when making the initial request to https://accounts.google.com/o/oauth2/auth then you'll get back a refresh token along with the access token. This is documented here.

The refresh token does not expire, until the user explicitly revokes access to it from the Account -> Security -> "Connected applications and sites" page.

The other post you linked to seems to be related to SoundCloud, which presumably does things a little differently.