8

In Webserver Grant Flow After I obtain the Authorization Code from the authorization authority (after the user has authorized my access) how long is that code usually valid form? The reason i am asking is, can my webserver store that code and use it in later sessions to retrieve a new access token without the need for the user to re-authenticate again? Should that be the flow?

FYI my goal is make requests from Adobe Analytics and Google Analytics on behalf of my customer. So i would want to ask my customer for authorization once until he revokes my access.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Berethor
  • 343
  • 2
  • 13

1 Answers1

7

Speaking strictly of Google Oauth. There are three types of codes or tokens you should be aware of.

  1. Authorization code
  2. Access token
  3. Refresh token

Authorization code is return when the user clicks accept to your application accessing their data. This code is used to exchange for an access token and a refresh token. This code can only be used once and is extremely short lived 10 minutes I believe.

Access tokens are used to access private user data. They are valid for approximately one hour.

Refresh tokens are used to gain a new access token when the access token has expired. For the most part refresh tokens do not expire however if it has not been used for six months it will no longer be valid and of course the user can always remove your access.

Answer: No storing the authentication code would be pointless. You will need to store the refresh token. make sure you are requesting offline access of your users.

I cant help you with adobe analytics however I suspect it is similar this is standard Oauth protocol we are talking about.

Community
  • 1
  • 1
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • "[The authorization code] can only be used once": and how would it be implemented? Is making it valid for a few seconds only an acceptable alternative? – Florimond Jan 30 '20 at 09:45
  • The authorization code only needs to be used once its only needed to get the access token after that there is no use for it. You have about three minutes to use the authorization code that should be enough time to request an access token. – Linda Lawton - DaImTo Jan 30 '20 at 10:58
  • 1
    It only "needs" to be used once. But initially you wrote "can only be used once". Which seemed to imply there should be some mechanism by which it's impossible to use it twice. Even if you try to use it for the second time still within the few minutes of validity. – Florimond Jan 30 '20 at 13:16
  • There is it doesnt work if you try to send it to the auth server a second time you will get an error. The token is probably deleted in the auth servers database. The auth server could also check the age of the token as in when it was created and refuse it if its to old. https://tools.ietf.org/html/rfc6749#page-24 https://tools.ietf.org/html/rfc7636#page-8 – Linda Lawton - DaImTo Jan 30 '20 at 13:34