Refresh token validity period
Hi There,
I am using OAuth to generate accessToken from the refresh token, but when the access token is generated the refresh token is expiring. I think the Refresh token must not expire like MS Office OAuth so that users can generate multiple access tokens using the same refresh token. If user did not use it more than 60 days you can invalidate the refresh token.
-
Hi,
By default the access token lasts 60 minutes and the refresh token 60 days.
Also by default when you use the refresh token to get a new access token, you also get a new refresh token. Refresh tokens are one single use only. This means your application should cache the new pair of tokens for future use.
There is however an exception to his behavior to prevent a race condition in multi-threaded scenarios.
In these scenarios it is possible that multiple threads request a new access token using the same refresh token. In this case the platform responds with the same pair of new access and refresh tokens, so you're safe.
To your question, the refresh token is single usage, and your application should cache the new token pair, however if your application uses the same refresh token before it had a chance to cache the new ones, it will get the same new access and refresh token.
Please sign in to leave a comment.
Comments
1 comment