6

I am trying to use gmail smtp using oauth 2.0. I have used aspose.dll for requesting access token using authorization url. I do not get refresh token when i get the response.so there is no way to request new access token if previous is expired. So i thought of getting access token every-time my app requires . And if authorization code gets expired then i can not follow this approach.

does authorization code for gmail oauth2 ever expires??

hjpotter92
  • 78,589
  • 36
  • 144
  • 183
Milind Anantwar
  • 81,290
  • 25
  • 94
  • 125

1 Answers1

11

Google's OAuth 2.0 does provide Refresh Tokens!!! This link here explains the various flows and talks about apps obtaining both access and an optional refresh token for all scenarios.

Authorization code DOES expire! That's what OAuth protocol dictates. I cannot find an exact time period to quote here for Google, but I do know that for Facebook), the authorization code expires in 10 minutes (See the december 5 change in the link.).
The Refresh Token has been made available for use cases like yours. If the authorization code were to persist, what difference would remain between a Refresh token and Authorization code.

I'd suggest you look up the documentation of the Aspose libraries you are using.

PS - Authorization code/access tokens/refresh tokens are all issued by a central Google Authorization server! So, we're talking about Google's Authorization code which, as I said, does expire.

Good luck!

EDIT - Adding more info for you

     The authorization code generated by the
     authorization server.  The authorization code MUST expire
     shortly after it is issued to mitigate the risk of leaks.  A
     maximum authorization code lifetime of 10 minutes is
     RECOMMENDED.  The client MUST NOT use the authorization code
     more than once.  If an authorization code is used more than
     once, the authorization server MUST deny the request and SHOULD
     revoke (when possible) all tokens previously issued based on
     that authorization code.  The authorization code is bound to
     the client identifier and redirection URI.

Source - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31
Section - 4.1.2

Community
  • 1
  • 1
divyanshm
  • 6,600
  • 7
  • 43
  • 72
  • thanks,do you know any .net library that'll get me both access and secret token. – Milind Anantwar May 07 '13 at 04:56
  • 1
    I'm afraid not. But google does provide it's own dotnet API for OAuth, why don't you use that. http://code.google.com/p/google-api-dotnet-client/wiki/OAuth2 This link also has some samples, you might want to go through them – divyanshm May 07 '13 at 04:59
  • but they have not mentioned anywhere about getting access and refresh token both. – Milind Anantwar May 07 '13 at 05:51
  • they have mentioned - Once you get an authorization code, you can use this code to get a refresh-token and an access-token. An access token is usually valid for a maximum of one hour, and allows you to access the user's data. Every time you make a request to protected data, you have to authorize the request using an access token.!!! But alas, even I don't see any code samples where they've fetched the refresh token. I'll let you know if I could find a sample. – divyanshm May 07 '13 at 06:00
  • You might want to see this too - http://stackoverflow.com/questions/10827920/google-oauth-refresh-token-is-not-being-received – divyanshm May 07 '13 at 06:02