OAuth2 and Google API: access token expiration time?

by

You shouldn’t design your application based on specific lifetimes of access tokens. Just assume they are (very) short lived.

However, after a successful completion of the OAuth2 installed application flow, you will get back a refresh token. This refresh token never expires, and you can use it to exchange it for an access token as needed. Save the refresh tokens, and use them to get access tokens on-demand (which should then immediately be used to get access to user data).

EDIT: My comments above notwithstanding, there are two easy ways to get the access token expiration time:

  1. It is a parameter in the response (expires_in)when you exchange your refresh token (using /o/oauth2/token endpoint). More details.

  2. There is also an API that returns the remaining lifetime of the access_token:

    https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}

    This will return a json array that will contain an expires_in parameter, which is the number of seconds left in the lifetime of the token.

More Related Contents:

  1. client secret in OAuth 2.0
  2. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  3. JWT refresh token flow
  4. Restrict Login Email with Google OAuth2.0 to Specific Domain Name
  5. Why do access tokens expire?
  6. What’s the right OAuth 2.0 flow for a mobile app
  7. Using Postman to access OAuth 2.0 Google APIs
  8. Getting a 403 – Forbidden for Google Service Account
  9. Sign in with Google temporarily disabled for this app
  10. Google Authenticator available as a public service?
  11. Access to Google API – GoogleAccountCredential.usingOAuth2 vs GoogleAuthUtil.getToken()
  12. What is token-based authentication?
  13. How to refresh token with Google API client?
  14. Are HTTPS headers encrypted?
  15. The signing fingerprint you specified is already used by another Android OAuth2 client
  16. How secure is a HTTP POST?
  17. Best Practices: Salting & peppering passwords?
  18. Payment Processors – What do I need to know if I want to accept credit cards on my website? [closed]
  19. Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?
  20. Declaring Spring Bean in Parent Context vs Child Context
  21. Best way for a ‘forgot password’ implementation? [closed]
  22. Should JWT be stored in localStorage or cookie? [duplicate]
  23. Is it worth encrypting email addresses in the database?
  24. UNREGISTERED_ON_API_CONSOLE while getting OAuth2 token on Android
  25. Is it possible to reverse a SHA-1 hash?
  26. Secure Google Cloud Functions http trigger with auth
  27. What is the appropriate way to manage API secrets within a Google Apps script?
  28. ImportError: cannot import name SignedJwtAssertionCredentials
  29. How to protect against direct access to images? [closed]
  30. Google API OAuth2, Service Account, “error” : “invalid_grant”

Leave a Comment