54

what is the expiry time of github oauth access token. And also how do I renew it. I don't see any refresh token in their documentation. Please guide me. Thanks in advance.

qnimate
  • 879
  • 1
  • 7
  • 12

3 Answers3

65

2014: As commented in this "GitHub OAuth Busy Developer's Guide"

Tokens don't have to expire.
They only send back the access token and an expiration (field "expires_in", seen as far back as 2013) if the offline_access scope is not requested (as it is the case for a refresh token).
Right now, GitHub just assumes all apps want offline access.

You can check an OAuth application authorization, delete it or revoke it.
But the token itself doesn't seem to be bound to an expiry date unless they are not use for one year.

badsyntax adds in the comments:

I also found this useful:

"An OAuth token does not expire until the person who authorized the OAuth App revokes the token."
From "Migrating OAuth Apps to GitHub Apps".

Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response:

expires_in

RECOMMENDED.
The lifetime in seconds of the access token.
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

Colonel Panic
  • 132,665
  • 89
  • 401
  • 465
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I also found this useful: "An OAuth token does not expire until the person who authorized the OAuth App revokes the token." From https://developer.github.com/apps/migrating-oauth-apps-to-github-apps/ – badsyntax Nov 23 '18 at 17:30
  • @badsyntax Thank you. I have included your comment in the answer for more visibility. – VonC Nov 23 '18 at 17:32
  • The `expires_in` is described in OAuth spec https://tools.ietf.org/html/rfc6749#section-4.2.2 – Sergey Ponomarev Jan 08 '20 at 12:15
  • Is this still valid? I found it has an ```expires_in``` attribute here: https://docs.github.com/en/developers/apps/building-github-apps/refreshing-user-to-server-access-tokens – Terry Windwalker May 22 '21 at 07:33
  • @TerryWindwalker Yes, it is. I have edited the answer to explain the general principle. – VonC May 22 '21 at 10:53
4

Generally, the access_token of GitHub has no expiry until you revoke the OAuth token.

You can consider to opt in to GitHub App expiration token beta feature. This would make your app use expiring user tokens valid for 8hrs, and refresh tokens valid for 6 months

Here's an official step by step guide

kidroca
  • 3,480
  • 2
  • 27
  • 44
Saurabh Burade
  • 41
  • 1
1

GitHub will automatically revoke an OAuth token or personal access token when the token hasn't been used in one year.

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#token-expired-due-to-lack-of-use

Interestingly, some other OAuth providers issue short-lived access tokens and long-lived refresh tokens, as suggested discretionally in the OAuth spec. For example, GitLab OAuth "access tokens expire in two hours" and each refresh token may only be used once. This mitigates the damage that stolen access tokens can do.

Colonel Panic
  • 132,665
  • 89
  • 401
  • 465