Is the refresh token good forever? I was testing the refresh token immediately and everything seemed fine, but a couple days later when I went to try again I received an error about invalid refresh token. I know the access token expires after an hour. Isn't it possible to use the refresh token to get a new access token forever? For example I record expires time of the access token, so if the site refreshes and it's days later I won't use the access token I'll get a new access token with the refresh token, but if it hasn't expired yet I'll keep using the valid access token.Please advise if there's any issues with what I've described above. Otherwise service gets interrupted and we'd have to authorize all over again.
--
--
You received this message because you are subscribed to the Google
Groups "Meetup API" group.
To unsubscribe from this group, send email to
meetup-api+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Understood, and done! Currently implemented that way.But is the refresh token good forever? When I go to use the refresh token for the first time can it be days, months, or even years later? Or does the refresh token itself have an expiry time before it's valid to be used only once?
Hi,Is this still true (that refresh tokens can only be used once)?If so, is there any plan to remove that limitation? Can’t think of any other OAuth2 provider with this policy.
Otherwise could it be clearly stated in the documentation? http://www.meetup.com/fr/meetup_api/auth/#oauth2 Couldn’t find a mention about it anywhere else.
On Wed, May 27, 2015 at 4:26 AM, Pierre-Élie Fauché <p...@sunrise.am> wrote:Hi,Is this still true (that refresh tokens can only be used once)?If so, is there any plan to remove that limitation? Can’t think of any other OAuth2 provider with this policy.Otherwise could it be clearly stated in the documentation? http://www.meetup.com/fr/meetup_api/auth/#oauth2 Couldn’t find a mention about it anywhere else.Hi Pierre-Élie,Both oauth 1 and 2 are both RFC's that set guidelines on expected behavior for servers and clients. To allow for some additional flexibility, both specifications allow for providers to relax certain recommendations to make compromises based on limitations their clients may have. You'll find not all providers implement all of the behavior mentioned in the RFC's as a result.Here's the section on refresh tokens http://tools.ietf.org/html/rfc6749#section-6. For a long time we've been reissuing a new set of refresh tokens but we've recently changed this. Currently, you should get back the _same_ refresh token in an oauth2 refresh token flow.Since we've rolled this change out, the documentation hasn't been updated but I'll open a ticket to fix that.If you follow the current docs, things should just work. If you discard the refresh token on hand and store the one that comes back. It will will contain the same value.
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+unsubscribe@googlegroups.com.