If I exchange refresh token for a new access token then is the older access_token valid (Google OAuth2)?

5
votes

I have an access_token say: A with access_type offline and it expires after 3600 seconds from time of obtaining ie t0

I also have the refresh_token obtained the first time along with the access_token.

At a later time say at t0 + 1000 seconds (before access token expiry time), I exchange the refresh token for a new access token B

Now, is my earlier access_token A Still valid?

Additional Note: This is of concern to me as I am using multiple asynchronous operations in my code using the same access_token, and I do not want any one of the operation to fail if the other operation exchanges the refresh_token for an access_token before expiry time.

1
oauth-2.0google-oauth
I don't think the OAuth2 spec says anything about invalidating an access token when it is refreshed prematurely, but it might be implementation-dependent. Why not try it and see? It's a straightforward thing to check. - Shaun the Sheep

1 Answers

0
votes

Refresh tokens are issued to the client by the authorization server for following reasons:

  1. To obtain a new access token when the current access token becomes invalid or expires.
  2. To obtain additional access tokens with identical or narrower scope.

In your case you are using for 2nd reason. Therefore Token A still remains valid.