1

Our app uses the usual short-lived access + refresh tokens to do a bunch of background services for users. This means that every now and then the services need to refresh the tokens.

We've run into an issue where 2 services try to refresh a token at the same time, thus resulting in an invalid token.

Is there a better way to generate a usable access token that doesn't require a refresh every hour?

john2x
  • 22,546
  • 16
  • 57
  • 95

1 Answers1

2

there is no reason why generating more access tokens from refresh tokens would cause an error.
existing non-expired access tokens are not invalidated when a new one is produced from the refresh token. check your code for errors there.
also there is no way to generate a long lived access token. what you ask is how oauth1/clientlogin used to work (they expired after 2 weeks instead of 1 hour). in oauth2 there is no such thing as a long lived access token.

Zig Mandel
  • 19,571
  • 5
  • 26
  • 36
  • Hmm ok. I was under the impression that refreshing a token invalidates the previous access token. I've been getting a lot of "invalid_grant" errors, and no idea what's causing them (the user definitely didn't revoke permissions). It's not easily reproducible though, can't determine how the token got to that invalid state. It just does, every now and then. – john2x Oct 16 '14 at 06:06
  • you can try in the oauth playground. generating new access tokens does not invalidate the previous. rather, you usually generate the new access token because the previous expired. – Zig Mandel Oct 16 '14 at 06:11
  • I see. Thanks. That's one less thing to worry about while I track this down. But does the refresh token get invalidated when it's used? So if I try to refresh twice using the same refresh token, would that cause issues? – john2x Oct 16 '14 at 06:14
  • no it wouldn't. see the youtube video about google oauth by the google guy that did the O'Reilly book – Zig Mandel Oct 16 '14 at 06:16