14

Each refresh token is valid for 14 days. Why do the refresh tokens expire?

Kara
  • 6,115
  • 16
  • 50
  • 57
yednamus
  • 582
  • 1
  • 4
  • 22
  • 2
    Refresh token wont expire until the app was revoked by user. http://stackoverflow.com/questions/8953983/do-google-refresh-token-expire – name-it Feb 03 '14 at 19:15

1 Answers1

14

14 days was based on what is considered best practice in implementing OAuth2. See Why do access tokens expire? for a pretty comprehensive answer about why OAuth2 refresh tokens expire.

We are interested in hearing what number bigger than 14 would work for your application. We picked 14 days based on initial feedback, surveys from application developers, as well as looking at application logins by users. A high majority of users login with apps more often than every 14 days.

Can you explain your use case? What would be the ideal non-infinite refresh-interval that would give you a balance between peace-of-mind about security, and convenience

Community
  • 1
  • 1
Peter
  • 2,551
  • 1
  • 14
  • 20
  • i don't agree with you on this generally refresh token last very long not a limited number of days in which i need to involve the user again and again which is bad implementation take a look into this post http://stackoverflow.com/questions/8953983/do-google-refresh-token-expire – yednamus Mar 22 '13 at 12:34
  • 1
    If your application isn't used every 14 days by your users, shouldn't they have to re-authenticate? Most business apps are used by people at least once a week, if not more regularly. Asking the user to re-authenticate after they come back from a long vacation seems entirely reasonable. Can you explain why your users aren't using your app at least every 14 days in regular practice? – Peter Mar 23 '13 at 15:15
  • 1
    @PlatformBoxer Not all apps are user-facing, or have some background process that the user expects to keep working after having authenticated once with it. Typically this is done by having the app request "offline access" (see facebook, twitter, everything else), and the dev being able to request permanent tokens if granted. – Steven Soroka Mar 25 '13 at 21:40
  • I get that not all apps are user-facing. I've written cron-tab jobs as well. However, we are talking about an enterprises potential crown-jewels here. Many of the other commercial products only offer "long-lived" OAuth2 tokens. See Google. The oddity there is that they don't define 'long'. Are you doing something that is cron-tabbed for longer than 14 days? How many days? Monthly? Quarterly? Annually? How often do the length of encryption keys typically need to be changed? We are debating what longer time period would be reasonable. Do you have a proposal? – Peter Apr 02 '13 at 07:33
  • 2
    We have just updated refresh_tokens to live for 60 days instead of 14, based on some data from applications that had use cases where their users only logged in every month. – Peter Nov 07 '13 at 18:47
  • I notice that an ASP.NET Web API project also defaults to 14 days? Out of curiosity, why was 14 days chosen as best practice? – Ciaran Gallagher Apr 10 '18 at 14:16