I know that (when using the authorization code "Authorization code" in OAuth), the lifetime of an access-token should be short but the lifetime of a refresh token can be long. So I decided for my project:
But what is a typical lifetime of an authorization code? Am I right that it should be really, really short? Maybe like 1 hour or even only a few minutes?
I could not find any "best practice" for this..
All of this is standard but configurable i most identity / auth servers.
When the user consents an application accessing their data they are returned an authorization code. This code is only used its normally good for five minutes. anything lower than that would probably cause you issues with clock skew and there is really no reason IMO for it to be longer.
Access tokens are returned after the authorization code has been exchanged. The access token. Access tokens are most often only good for 60 minutes.
refresh tokens are long lived tokens. The following are googles standard.
Again the above are just google standards. On the identity server I work on at work. I think the current settings is one month of non usage a refresh token expires.
Just found an answer on an other site:
The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds.
Source: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
It depends on the provider. For some providers, it works only once. Once you exchange the authorization code for access and refresh tokens, it will expire and you can't use it the second time.
© 2022 - 2024 — McMap. All rights reserved.
