When will a google oauth2 refresh token expired?

3
votes

When will a google oauth2 refresh token expired?

What I mean by expiration is expiration because of a certain time span had been passed (not because user has revoked access or because user has requested new refresh token)

I have done some research and none of them cited official google documentation (I can't find a valid google documentation too)

Some other questions said that it's never expired because of time :

Do Google refresh tokens expire?

https://community.fitbit.com/t5/Web-API-Development/Invalid-or-expired-refresh-tokens/td-p/1048159

While others said that it will expire (some say 14 days, others said 60 days)

this one said 14 days Why do refresh tokens expire after 14 days

this one said 60 days https://blog.box.com/blog/oauth2-update-longer-lived-refresh-tokens/

this one said "very long time" (no exact time) https://medium.com/@bantic/more-oauth-2-0-surprises-the-refresh-token-1831d71f4af6

Because of a certain requirement, I need to have a refresh token that never expire because of passing of time , so I require a refresh token that can still be used after like 20 years or so

If refresh token expires before that time, then I will need to change my approach, so I need to know if they expires or not

1
oauthoauth-2.0google-oauth

1 Answers

7
votes

First let me start by saying there is now way to get a refresh token that will be guarantee to work after 20 years. Technology will change in that time. Also note i am answering from the stand point of Googles oauth servers each server is set up different different companies may have different rules as to when a refresh token will expire. If you want some kind of industry standard you are best checking the RFC for oauth

A refresh token can expire.

  1. If a user removes your access.
  2. A user can have max 50 refresh tokens to your for your application. That means if they authenticate your application 50 times you will have 50 outstanding and working refresh token when they authenticated it again the first one will expire and you will again will get a new one that will work.
  3. If a refresh token hasn't been used in three - six months it will expire.
  4. I have seen a few issues with google were huge batches of refresh tokens suddenly were expired this happens a few years ago in the fall. I never got verification with google about what the problem was. My guess is it was a time change issue as it happens the week everyone changed there time.

basically what all this means is no matter what your code should be able to request access of the user again if your refresh token has expired.