4
votes

I had a web application using OAuth2.0 as the login framework. However, after the users login for a period, like 1 hour, the application actually gives the error :

"PHP Fatal error: Uncaught exception 'Google_AuthException' with message 'The OAuth 2.0 access token has expired, and a refresh token is not available. Refresh tokens are not returned for responses that were auto-approved.' in /home2/iaapro/public_html/test_app/google-api-php-client/src/auth/Google_OAuth2.php:221"

The fatal error tells that refresh token is not there. When I read the OAuth2.0 guide by Google, it's said the user will receive the access token and refresh token at the same time if the access type="offline" which is what I did.

When I got the fatal error, I just need to clear my browser cache and cookies and it works again.

I see somebody says that the access token and refresh token will be available as long as user doesn't revoke the access on his account. In my case, it expired in one hour even I didn't do so.

I can't find much information about this on Google. Can anyone explain to me or suggest me some useful reference ?

If we need to store the refresh token in database, is there any tutorial available ?

Thanks.

2

2 Answers

1
votes

Your access token expires after an hour, and you need a refresh token, which you need to store, to get another valid access token. To find the real-time state of your current access token, use this URL:

https://accounts.google.com/o/oauth2/revoke?token=YOUR-ACCESS-TOKEN-HERE

If you get the dreaded error message, it has expired.

1
votes

OAuth authentication gives you an Access Token which is valid for one hour. It will also give out a Refresh Token, which can be used to get a new Access Token when the first expires (or for a later session).

Should you store Refresh Tokens? Yes, if you plan to re-use the access: there is a limit on the number of refresh tokens that are given out per account:

https://developers.google.com/accounts/docs/OAuth2?hl=ja#expiration