Since couple of days Refresh token has been automatically expired

2
votes
  1. We have Google OAuth2 Web client at Google API Console
  2. With the help of Oauth Web Client, we get Refresh token for each Users ( By using web Authentication & Concert Screen )
  3. We store received Refresh Token to database and, System user this user specific Refresh token to create Google Calendar Event automatically on behalf of logged in user ( We have around 1000 Users)

Problem : Since couple of days Refresh Token has been expired automatically and getting following error.

{ "error": "invalid_grant", "error_description": "Token has been expired or revoked." }

When user do re-registration System receive new Refresh token and everything again start working, however after some time ( no sure but in less then day or two ) again they start getting Token has been expired or revoked error.

Is there any Limit has been expose on Refresh Token ? Is there any Limit to get Refresh Token by using Same API Client? ( We have individual 1000 Gsuit or Gmail user who have registered for Refresh Token individually using by using their person Gmail or Gsuit Account) Is there any API change to get long live Refresh token ?

Regards, DP

1
oauthgoogle-apiaccess-tokengoogle-authenticationrefresh-token

1 Answers

1
votes

Your Questions

Is there any Limit has been expose on Refresh Token ?

You can authorize a user and get a refresh token, then authorize the same user again and get a second refresh token. The user now has two outstanding refresh tokens and both work. You can do this up to fifty times and have fifty outstanding refresh tokens for this user. Once you do it again the first one will expire.

You can have fifty out standing refresh tokens for a user so if you are re authorizing them make sure that you are replacing the one stored in your database with the newest refresh token.

Is there any Limit to get Refresh Token by using Same API Client? ( We have individual 1000 Gsuit or Gmail user who have registered for Refresh Token individually using by using their person Gmail or Gsuit Account)

Your client can authorize as many users as you like. There is no limit to the number of users you system can have.

Is there any API change to get long live Refresh token ?

Not that i am aware of

The error message

There are a couple of things that could be happening here.

  1. The first being that the user has the power to revoike your access though the their google account. It looks to me like this may be what is happening.

  2. The second issue is the fact that its October and Google daylight savings time is kicking in. Several years ago there was an issue with daylight savings time expiring tokens.

  3. Third issue is that if your refresh token has not been used in the last six months it will be expired by google.

The fact of the matter is that refresh tokens are not perfect due to the above reasons. Your system should be designed to handle this if the refresh token fails then simply set it up to ask the user for access again.

{ "error": "invalid_grant", "error_description": "Token has been expired or revoked." }