Refresh token not working after a day or two

[emrk]

Is the refresh token good forever?  I was testing the refresh token immediately and everything seemed fine, but a couple days later when I went to try again I received an error about invalid refresh token.  I know the access token expires after an hour. Isn't it possible to use the refresh token to get a new access token forever?  For example I record expires time of the access token, so if the site refreshes and it's days later I won't use the access token I'll get a new access token with the refresh token, but if it hasn't expired yet I'll keep using the valid access token.

Please advise if there's any issues with what I've described above.  Otherwise service gets interrupted and we'd have to authorize all over again.

[Doug Tangren]

On Mon, Nov 17, 2014 at 12:04 PM, emrk <michael.ma...@gmail.com> wrote:

Is the refresh token good forever?  I was testing the refresh token immediately and everything seemed fine, but a couple days later when I went to try again I received an error about invalid refresh token.  I know the access token expires after an hour. Isn't it possible to use the refresh token to get a new access token forever?  For example I record expires time of the access token, so if the site refreshes and it's days later I won't use the access token I'll get a new access token with the refresh token, but if it hasn't expired yet I'll keep using the valid access token.

Please advise if there's any issues with what I've described above.  Otherwise service gets interrupted and we'd have to authorize all over again.

When you receive an oauth2 token you get a refresh token. When the access token expires you can request a new one with the refresh token. That refresh token can only be used once. In the response of that request you will get a new access token and a new refresh token. You can store that refresh token to get back the next access token.

 

--
--
You received this message because you are subscribed to the Google
Groups "Meetup API" group.
To unsubscribe from this group, send email to
meetup-api+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[emrk]

Understood, and done!  Currently implemented that way.

But is the refresh token good forever?  When I go to use the refresh token for the first time can it be days, months, or even years later?  Or does the refresh token itself have an expiry time before it's valid to be used only once?

Thanks.

[Doug Tangren]

On Mon, Nov 17, 2014 at 1:04 PM, emrk <michael.ma...@gmail.com> wrote:

Understood, and done!  Currently implemented that way.

But is the refresh token good forever?  When I go to use the refresh token for the first time can it be days, months, or even years later?  Or does the refresh token itself have an expiry time before it's valid to be used only once?

Yep. It's valid until you use it once.

[Pierre-Élie Fauché]

Hi,

Is this still true (that refresh tokens can only be used once)?

If so, is there any plan to remove that limitation? Can’t think of any other OAuth2 provider with this policy.

Otherwise could it be clearly stated in the documentation? http://www.meetup.com/fr/meetup_api/auth/#oauth2 Couldn’t find a mention about it anywhere else.

Thanks!

[Doug Tangren]

On Wed, May 27, 2015 at 4:26 AM, Pierre-Élie Fauché <p...@sunrise.am> wrote:

Hi,

Is this still true (that refresh tokens can only be used once)?

If so, is there any plan to remove that limitation? Can’t think of any other OAuth2 provider with this policy. 

Otherwise could it be clearly stated in the documentation? http://www.meetup.com/fr/meetup_api/auth/#oauth2 Couldn’t find a mention about it anywhere else.

Hi Pierre-Élie,

Both oauth 1 and 2 are both RFC's that set guidelines on expected behavior for servers and clients. To allow for some additional flexibility, both specifications allow for providers to relax certain recommendations to make compromises based on limitations their clients may have. You'll find not all providers implement all of the behavior mentioned in the RFC's as a result.

Here's the section on refresh tokens http://tools.ietf.org/html/rfc6749#section-6. For a long time we've been reissuing a new set of refresh tokens but we've recently changed this. Currently, you should get back the _same_ refresh token in an oauth2 refresh token flow.

Since we've rolled this change out, the documentation hasn't been updated but I'll open a ticket to fix that.

http://www.meetup.com/meetup_api/auth/#oauth2-refresh

If you follow the current docs, things should just work. If you discard the refresh token on hand and store the one that comes back. It will will contain the same value.

[Doug Tangren]

On Wed, May 27, 2015 at 8:37 AM, Doug Tangren <do...@meetup.com> wrote:

On Wed, May 27, 2015 at 4:26 AM, Pierre-Élie Fauché <p...@sunrise.am> wrote:

Hi,

Is this still true (that refresh tokens can only be used once)?

If so, is there any plan to remove that limitation? Can’t think of any other OAuth2 provider with this policy. 

Otherwise could it be clearly stated in the documentation? http://www.meetup.com/fr/meetup_api/auth/#oauth2 Couldn’t find a mention about it anywhere else.

Hi Pierre-Élie,

Both oauth 1 and 2 are both RFC's that set guidelines on expected behavior for servers and clients. To allow for some additional flexibility, both specifications allow for providers to relax certain recommendations to make compromises based on limitations their clients may have. You'll find not all providers implement all of the behavior mentioned in the RFC's as a result.

Here's the section on refresh tokens http://tools.ietf.org/html/rfc6749#section-6. For a long time we've been reissuing a new set of refresh tokens but we've recently changed this. Currently, you should get back the _same_ refresh token in an oauth2 refresh token flow.

Since we've rolled this change out, the documentation hasn't been updated but I'll open a ticket to fix that.

http://www.meetup.com/meetup_api/auth/#oauth2-refresh

If you follow the current docs, things should just work. If you discard the refresh token on hand and store the one that comes back. It will will contain the same value.

 

Wanted to follow on this. 

I have found a reproducible test case that affects tokens retrieved using a valid refresh token where the authorizing member proceeds to log out of the site. This seems to invalid any refresh token associated with that member, including the one on hand. This not by design. The fix should launch this week. Thank you for your patience. 

 

meetup-api+unsubscribe@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Meetup API" group.

To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+unsubscribe@googlegroups.com.