Will an old refresh token still be valid if a new refresh token get issued?

About

Asked 29/11, 2020 at 23:7 Answered 30/11, 2020 at 9:32

oauth-2.0 google-api google-oauth access-token refresh-token

My application uses a Google refresh token (to get access_token from Google). I have two questions here:

I know Google refresh token does not expire for 6 months (see the doc here); say I got a refresh token refresh_token_old at 5:00pm on Jan 1st , and my application requests another refresh token refresh_token_new from Google at 5:30pm on Jan 1st (i.e., just 30 minute later), will the old refresh token still be valid (apparently the old one has not been expired)? -- basically, I am asking if the newly issued refresh_token purges the validity of the old refresh_token;
For the access token, access_token_a, which I got from Google using refresh_token_old, is it still valid after my app requested the new fresh token refresh_token_new? -- basically, I am asking if the new refresh_token purges the validity of the access_token obtained by an old refresh_token even if that access_token has not expired;

Lasagne answered 29/11, 2020 at 23:7 Comment(0)

A refresh token will expire if it has not been used for six months. A soon as it is used the six month timer will reset.
If you request a refresh token, your application then requests another refresh token you technically have two outstanding refresh tokens, both will work. You can keep doing this and have up to fifty out standing refresh tokens as soon as you hit that point the first one will expire.
any access token created with any refresh token is good for an hour. Even if the refresh token that created it has expired during that hour. Once an access tokens is created it will work for an hour not matter what.

Bibliophile answered 30/11, 2020 at 9:32 Comment(5)

Thanks for crisp answer, very helpful! How can I make all outstanding refresh_token invalide (say, I suspect someone gets hold on it)? – Lasagne 1/12, 2020 at 5:48

If you want to revoke them all have the user revoke your permission on their account. Or make a call to the Revoke endpoint. Unless someone also got a hold of your client id and client secret and have access to the endpoint you have configured in Google Developer console they really cant do anything with the refresh token though. – Bibliophile 1/12, 2020 at 7:58

@DaImTo, "Once an access tokens is created it will work for an hour not matter what". is that the OAuth2.0 spec or just for Google only? I want to know if an old access token that is not expired is still valid after calling refresh-token to get a new access token. – Eliciaelicit 17/8, 2022 at 8:42

Access tokens expiring after an hour is OAuth standard expires_in. No an access token is self contained. It will expire and then no longer work. The refresh token is used to request a new access token. – Bibliophile 17/8, 2022 at 8:57

Thanks @DalmTo, been looking for answer that confirms your first point. – Atavistic 15/12, 2022 at 13:30

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags