Does OAuth 2.0 refresh token expires at all?

2
votes

I need to understand if a refresh token from OAuth 2.0 for Google data expires or not if unused for more than 6 months?

At many places it is called out that it doesn't expire and at some places it is said that it will expire if unused for 6 months.

For example, in this question, the accepted answer says that it never expires but one of the comments suggest that it can expire if unused for 6 months.

This Google doc calls out that refresh token will never expire while this doc says it can expire if not used for 6 months.

Although I am using a safety check for the cases where refresh token is expired due to any reason, but still want to make sure I understand the behavior correctly.

1
oauthgoogle-apioauth-2.0google-oauthaccess-token

1 Answers

5
votes

You are correct the two pages Using OAuth 2.0 for Web Server Applications and Using OAuth 2.0 to Access Google APIs don't have the same information.

Using OAuth 2.0 to Access Google APIs is correct.

You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:

  • The user has revoked access.
  • The token has not been used for six months.
  • The user account has exceeded a certain number of token requests.

There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

A refresh token that hasn't been used for 6 months will expire.

I have sent in a bug report on the first URL. Google should clear up the discrepancy the next time they go though the documents.