1

I am using the below code to obtain a access_token for google Oauth2 services. The logic is simple.

  1. Execute the code
  2. if there's a token (saved at the file token.txt), use it
  3. If there's not a token, use the browser-based flow.run_console(); save access token to file
  4. return build() of session

My question is, is there a way to extend the token's life past 3600 seconds? like a month? or better? Thanks

Code:

def get_service(ServiceName, API_VERSION):
    flow = InstalledAppFlow.from_client_secrets_file(CLIENT_SECRETS_FILE, SCOPES)
    creds = json.loads(Path(CLIENT_SECRETS_FILE).read_text())

    if Path(token).exists():
      access_token = Path(token).read_text()
      credentials = Credentials(
        None,
        refresh_token=access_token,
        token_uri="https://accounts.google.com/o/oauth2/token",
        client_id=creds['installed']['client_id'],
        client_secret=creds['installed']['client_secret']
      )
    else:
      credentials = flow.run_console()
      with open(token, 'w') as filetowrite:
            filetowrite.write(credentials.token)

    return build(ServiceName, API_VERSION, credentials = credentials)
arcee123
  • 101
  • 9
  • 41
  • 118
  • [this might help](https://stackoverflow.com/questions/13851157/oauth2-and-google-api-access-token-expiration-time) – BpY Dec 23 '19 at 15:10
  • Does this help: https://developers.google.com/identity/protocols/OAuth2WebServer#offline – Ashwani Dec 23 '19 at 18:00

3 Answers3

2

No. It's not possible. It's ofc hard to prove that smth is not possible. But here is the reasoning:

Idea is , that tokens are short lived for security reasons. One is supposed to obtain an additional refresh token. Once the oauth token expires , use the refresh token to get a new oauth token or better a new token pair.

This mitigates the risk, of eavesdropped tokens. Even if an attacker manages to get a token, there is only little period when it's valid. And also particular tokens can be revoked if needed by the service provider.

See OAuth2 and Google API: Access token expiration time?

dre-hh
  • 7,840
  • 2
  • 33
  • 44
  • after some research into what you said, I used the refresh token to re-establish connections in my script. this create a virtual headless scenerio which is where I was heading strategically. Since you came first with the suggestion, you get the points. – arcee123 Dec 30 '19 at 12:53
  • How did you manage to do that in the end? – ofir2471 Sep 13 '21 at 08:59
1

Not possible, Access tokens typically expire after 60 minutes. If you have a refresh token you can use the refresh token to get a new (valid) access token.

A combination of access tokens and refresh tokens maximize security and flexibility. The OAuth 2.0 spec recommends this option, and several of the larger implementations have gone with this approach.

This doc explains how to do that: https://developers.google.com/identity/protocols/OAuth2WebServer#offline

Binara Thambugala
  • 776
  • 6
  • 17
1

The primary reason you cannot extend it ( at least just by yourself ) is because its a value set by the token server. If you were to decode the access token, change the expiration value, encode it again, it will invalidate the token because these tokens have an embedded digital signature. [ Use https://jwt.io to decode and see for yourself ].

Coming to ways to extend it, you'll have to talk to the token server - in your case Google and see if they can make an exception for you. Your best bet is to rely on refresh_token as other answers suggests.

Gautam
  • 1,862
  • 9
  • 16