163

I have used the refresh token several times in just a short period for testing purposes, but I wonder whether Google refresh tokens ever expire? Can I use the same refresh token to get another access token again and again for a long period (a week or even months)?

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Robin Carlo Catacutan
  • 13,249
  • 11
  • 52
  • 85

11 Answers11

194

The Google Auth server issued Refresh tokens never expire — that's the whole point of the refresh tokens. The refresh token will expire (or I should say become unauthorized) when the user revokes access to your application.

Refer this doc it clearly states the function of refresh tokens.

Instead of issuing a long lasting token (typically good for a year or unlimited lifetime), the server can issues a short-lived access token and a long lived refresh token. So in short you can use refresh tokens again and again until the user who authorized the access revokes access to your application.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Shadow
  • 6,161
  • 3
  • 20
  • 14
  • 9
    The "good for a year" part makes it not quite as clear as you suggest; but since it doesn't seem to cause problems in practice, I'm assuming the refresh token is evergreen. – mahemoff Mar 16 '13 at 08:10
  • 69
    Token expiration You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons: The user has revoked access. The token has not been used for six months. The user account has exceeded a certain number of token requests. There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning. (from https://developers.google.com/accounts/docs/OAuth2) – bazik Mar 31 '14 at 11:46
  • 32
    'long lived' refresh token is something different than 'never expire'. – Kapé Mar 28 '15 at 21:40
  • 1
    So how can your code check if your refresh token is still valid? – Costin_T May 04 '15 at 13:45
  • 4
    @Shadow If the refresh token rarely expires, as suggested, why doesn't Google just issue a non expiring access token, in the first place. As far as, I understand, the access token that is issued using oAuth 2.0, can then be used to request a refresh token. Why not just have a permanent access token, and cut out the extra call for the refresh token. – Charles Robertson Dec 15 '15 at 22:24
  • 1
    @CharlesRobertson reason is access tokens are authorization for resources whereas refresh token is authorization given to client by a user. Client in case of access token is technically Resource server whereas client in case of refresh token is app authorized by Resource Owner to access content on his behalf. – dvsakgec Feb 09 '17 at 11:54
  • Authentication server however, can blacklist refresh tokens and render them invalid in some cases. – Sudip Bhandari May 23 '17 at 06:46
  • 2
    Doc link throws 404 – Rigin Oommen Jul 15 '19 at 18:30
  • 1
    @CharlesRobertson another reason for not issuing login live access token is, let say you have a user abc with role user when when access token was issues. Now you have changes some attributes of user, e.g you have changed the role of user. If you issue long live access token. new changes may not get reflected until authenicated again. User will need to authenticate in order to effect new role. While with refresh token this can automatically be done whenever access_token in expired. you can read the details here. – Ninja Jan 13 '21 at 13:58
  • https://dotnettutorials.net/lesson/refresh-token-in-web-api/#:~:text=A%20Refresh%20Token%20is%20a,the%20Refresh%20Token%20is%20blacklisted. – Ninja Jan 13 '21 at 14:00
  • 2
    Docs here say they're good as long as they're used within 6 months https://developers.google.com/identity/protocols/oauth2#expiration – Mike Apr 30 '21 at 19:07
  • Hi There, I have a question and a problem. I using fetching GMB locations by Refresh Token and Access Token, But when I changed the password of linked google account, the API stops syncing Location Data, Why so this.? Please revert me if there is any solution for this. – GYaN Nov 29 '21 at 09:57
  • There is new limit - "There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning. This limit does not apply to service accounts." – itsoft3g Sep 17 '22 at 08:17
115

This is a very confusing thread. The first answer appears to be right, but doesn't actually cite anything authoritative from google.

The most definitive answer I found is actually in the developer's playground where you obtain the token. Step 2 has a note at the bottom that says:

"Note: The OAuth Playground does not store refresh tokens, but as refresh tokens never expire, user should go to their Google Account Authorized Access page if they would like to manually revoke them."

https://developers.google.com/oauthplayground/

Josh Hunter
  • 1,507
  • 1
  • 12
  • 15
  • 3
    best answer here - why noone has upvoted is unbelievable - many thanks - treat refresh tokens as if they never expire - however on signin check for a new one in case the user revokes the refresh token, in this scenario Google will provide a new refresh token on signin so just update the refresh token – danday74 Jul 23 '16 at 04:51
69

I experienced the same issue and later found out the mistake I was doing. Posting it here so that someone else might find it useful too.

The following can be read from the Google document Using OAuth 2.0 to Access Google APIs, the section Refresh token expiration:

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

stvar
  • 6,551
  • 2
  • 13
  • 28
Amal Gunatilake
  • 817
  • 1
  • 7
  • 10
  • 6
    I submitted the app for verification and now the token doesn't expire. Of course, have no intention of getting the app verified just yet. – yebowhatsay Feb 13 '21 at 04:57
  • 7
    Google really buried the lede here. It's brutal. – Carl Norum Apr 06 '21 at 16:49
  • @yebowhatsay I'm experiencing the same with the Google Photos Library API. I use the API basically to serve me my own photos and have no interest in publishing it. What did you provide by submitting for verification? – individual8 May 02 '21 at 12:46
  • Same question here: how to set up a project for personal use only? Publish it to "alpha" channel maybe? – AymKdn May 02 '21 at 18:41
  • 3
    @individual8 no documents need to be provided, if that is what you meant. I remember I just had to click on the 'Publish' button. – yebowhatsay May 03 '21 at 10:52
  • 1
    @yebowhatsay Thx. I published mine too and dismiss to provide any verification info. Let's see if the newly created refresh token expires again in 7 days. – individual8 May 03 '21 at 14:04
  • 4
    @DaveTheMinion Yep, it did. – individual8 Jun 28 '21 at 06:47
  • 1
    @individual8 I just hit the seven-day period and was forced to renew. Interestingly, after renewing, I got one of those security alert e-mails from Google telling me that my application was granted access to my account. I never got one of those before, so perhaps it will work this time? I'll check back again in one week once I know the outcome. – DaveTheMinion Jul 04 '21 at 19:38
  • 1
    One final update: it seems that after renewing last week, my token did not expire! – DaveTheMinion Jul 13 '21 at 12:16
  • I think this should be the accepted answer. This helped me a lot. Thank you! – cagdas_ucar Feb 22 '22 at 19:34
27

Refresh tokens will actually expire after 7 days if the project publishing status is "testing". Per google documentation:

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

Link to quote

john fotouhi
  • 371
  • 3
  • 5
15

I don't think that is completely true:

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

from this page: https://developers.google.com/youtube/v3/guides/authentication#installed-apps

That is from the youTube docs (which I find to be much better than other api docs) but I think it is the the same across all google apps.

Roaders
  • 4,373
  • 8
  • 50
  • 71
10

Read this from: https://developers.google.com/identity/protocols/oauth2#expiration You must write your code to anticipate the possibility that a granted refresh token might no longer work. A refresh token might stop working for one of these reasons:

The user has revoked your app's access. The refresh token has not been used for six months. The user changed passwords and the refresh token contains Gmail scopes. The user account has exceeded a maximum number of granted (live) refresh tokens. There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of refresh tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

Jos Luijten
  • 621
  • 5
  • 9
9

The rules have changed on this sometime in 2017, so the best answer I think is that it depends on the product. For example, on the Gmail API, the Oauth 2.0 refresh token expires upon password change. See this https://support.google.com/a/answer/6328616?hl=en

We used to setup API access in advance and generate refresh tokens when we setup NEW gmail users, and then we could archive their mail (we are required to do so by law), but now as soon as they change their password, the refresh token is revoked.

Perhaps for youtube, maps, the refresh token is still truly long lived, but for gmail api, count on a short token.

TonyE
  • 319
  • 2
  • 4
  • Looks like it became official on October 5, 2016. https://developers.googleblog.com/2016/09/increased-account-security-via-oauth-2-0-token-revocation.html – TonyE Sep 12 '17 at 23:07
7

see this:

Refresh tokens are valid until the user revokes access. This field is only present if access_type=offline is included in the authorization code request.

in https://developers.google.com/accounts/docs/OAuth2WebServer

karl
  • 79
  • 1
  • 2
6

For personal projects, simply submit the app on Google Console 'Oauth Consent Screen' tab for verification to stop tokens from expiring. No need to do anything further if you don't want the app to be verified.

yebowhatsay
  • 182
  • 1
  • 7
  • Can you give more details, please? When you say "submit the app for verification", do you mean to go on the "Deploy" tab and click on "Start new release" and then to select "Production"? But in that case Google will review your product… – AymKdn May 04 '21 at 13:08
  • 1
    Actually I think it's from this screen: https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_NAME There is a "Publication State", and it's correctly in "testing". From there you can click on the publish button. – AymKdn May 04 '21 at 15:49
  • Yes, @AymKdn is right, it is on [Google Console](https://console.cloud.google.com/apis/credentials/consent?project=PROJECTID&pli=1&folder=&organizationId=) . Submit your app for publishing, but there is no need to follow up on this as Google automatically removes the token expiration once submitted. I'll amend my answer. – yebowhatsay May 06 '21 at 08:06
  • Does this method still valid? Will google revoke and change our app status back to "Testing" because of no response? – Synth Sloth Feb 09 '23 at 07:38
  • @MaidenlessRunt Can confirm that this still works on one of my personal apps. Status is never reverted back automatically. Have you tried it yet? – yebowhatsay Feb 10 '23 at 08:12
1

The main concept of the refresh token is that it is long-lasting and never expires.

The access token has an expiry time and it expires, once it expires we can go for the refresh token, that will be used again and again until the user revokes from his account.

stitz
  • 1,429
  • 1
  • 16
  • 33
Shiven Ojha
  • 77
  • 1
-4

Set a long expiration time for OAuth tokens

Setting a long expiration time for an access token and/or refresh token in the OAuthv2 policy leads to accumulation of OAuth tokens and increased disk space use on Cassandra nodes.

The following example OAuthV2 policy shows a long expiration time of 200 days for refresh tokens:

<OAuthV2 name="GenerateAccessToken">
<Operation>GenerateAccessToken</Operation>
<ExpiresIn>1800000</ExpiresIn> <!-- 30 minutes -->
<RefreshTokenExpiresIn>17280000000</RefreshTokenExpiresIn> <!-- 200 days -->
<SupportedGrantTypes>
  <GrantType>password</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>

link here

In the above example:

  • The access token is set with a reasonably lower expiration time of 30 mins.
  • The refresh token is set with a very long expiration time of 200 days.
  • If the traffic to this API is 10 requests/second, then it can generate as - many as 864,000 tokens in a day.
  • Since the refresh tokens expire only after 200 days, they persist in the data - store (Cassandra) for a long time leading to continuous accumulation.
Hasmukh Dharajiya
  • 49
  • 1
  • 2
  • 9