About refresh tokens and their lifetime

[Salman Alam]

Hi guys, 

I would love to know about how long are "refresh_tokens" valid?

It says on the documentations that the "access_token" is valid for 1 hour and we can use the "refresh_token" to get a new "access_token".

I want to know how long can we keep refreshing using "refresh_token" so that our user's don't have to grant access manually again?

Thanks

[Jeff Schnitzer]

I'd like to bump this question and ask why refresh_tokens expire at all? It means we have to create an annoying process that refreshes the refresh tokens once every month or so.

This is not the way any other oauth system I've ever used works.

Thanks,

Jeff

[Craig Williams]

I'd also like to add to this and highlight the fact that the refresh-token returned in the refresh-grant request only has a lifespan of 3600 seconds which is still only 1 hour. It's supposed to be 90 days.

Is anyone else having this issue?

[Salman Alam]

Yeah, I noticed the same where the lifespan of refresh token is 3600 seconds only. That means every hour we have to refresh the tokens from our side - heck keep a record on our DB when the the refresh token will expire.

@Jeff: Yes, I haven't seen it either before where refresh tokens expire at all.

[at]

This may be addressed on this GIthub issue: https://github.com/etsy/open-api/issues/116

[Tima M]

Must be something to do with your accounts. I am still using refresh token from ~3-4 weeks ago.

[Craig Williams]

Okay so basically the refresh token is valid for 90 days meaning that you can use it to gain another access_token up to 90 days after you acquire it.

This doesn't mean that the access_token acquired from the refresh-grant request will be valid for 90 days.

We literally have to refresh every hour.

Madness.

[Jeff Schnitzer]

Refreshing the access token every hour is pretty standard fare for oauth. The idea is that the token can contain complete cryptographic permission so no lookups need to be performed server-side. They need to expire because there's no way to remove permissions otherwise.

We put access tokens in ephemeral storage (memcache) and only persist the refresh token. It's fine.

On the other hand, having to refresh the refresh token is *super* weird.

Jeff

[Farshad Eshraghi]

I believe every time you get a new access token you also get back a new refresh token.

If that triggers a new 90 days lifespan then effectively have a permanent refersh_token, provided the gap between the API calls are less than the 90 days.

[Jeff Schnitzer]

That is undesirable for a couple reasons:

 1) I can't necessarily guarantee an API call every 90 days, so I already need a batch process that refreshes refresh_tokens.

 2) Updating the refresh token requires an update to persistent storage. I'd rather not do that for every user every hour. refresh_token = persistent, access_token = ephemeral.

Jeff

[david olick]

I'd also like to know what the purpose of it expiring every 90 days is.  Like, I kind of understand that some expiration is more secure than no expiration... but "90 days" is right on the edge of "just often enough to be annoying".

I wouldn't trust an automated system to not run into any errors (network or otherwise) to actually run once every 89 days.  So I would likely have it run once every 30 days, which would allow up to 2 failures before it would become an issue.  That's a bit more often than I'd like.  If an expiration date is necessary, I would personally prefer at least 6 months.

My personal opinion is that if you allow us to refresh a token indefinitely.... it seems kind of pointless to have an expiration at all.

There are way bigger security issues related to the current iteration of the API V3's Oauth 2.0 implementation than whether an expiration exists for tokens or not.

--
You received this message because you are subscribed to the Google Groups "Etsy API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to etsy-api-v2...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/etsy-api-v2/cfdea126-2fc3-435c-9e52-cc28d61e4been%40googlegroups.com.

[Stage Insider]

Did anyone manage to get to the bottom of the problem Craig and some others were having? Where the refresh token has the same lifespan as the initial token? From what others have said on this thread and what it says in the Docs my understanding is you should still be able to get a 90 day refresh token?

When I request the initial oAuth token it works fine and I get the response:

{"access_token":"TOKENISHERE","token_type":"Bearer","expires_in":3600,"refresh_token":"REFRESHTOKENISHERE "}

When I use the refresh_token parameter to request a refresh token however, I get a similar response - with the expiry still the same rather than a 90 day token:

{"access_token":"TOKENISHERE","token_type":"Bearer","expires_in":3600,"refresh_token":" REFRESHTOKENISHER "}

To get this I am making a POST request to https://www.etsy.com/oauth/connect in format application/x-www-form-urlencoded with the body set as:

  'grant_type': 'refresh_token',
  'client_id': MYCLIENTID,
  'refresh_token': THEREFRESHTOKENFROMFIRSTREQUEST

Is this correct? I would massively appreciate it if anyone knows what I'm doing wrong if this should return a 90 day token! I assume I am doing something wrong rather than this being intended as in the docs here it even gives the examples response with "expires_in": 86400 - so I assume I should be getting a 90 day token on the refresh request?

Thanks

[jose fano]

I am facing this issue as well. Refresh tokens only lasting 1 hour for me :( . It says it would be 90 days in the documentation !

[jose fano]

So, no matter what, each access token will always have a lifespan of 1 hour max -- even after refreshing the token ? 

Could you guys please confirm that? 

[david olick]

Access tokens have a 1 hour life span.

You need to use the refresh token, which is good for 90 days, to generate a new access token.

To view this discussion on the web visit https://groups.google.com/d/msgid/etsy-api-v2/a8eb688b-8911-4a8b-9cd9-0a91be34fd7dn%40googlegroups.com.

[John-Marc Ventimiglia]

A refresh token that lasts 1 year, like eBay, would be nice.

[Nemchand Das]

What we need to do if refresh_token expires? 

Do we need to start the Authentication process again from the beginining? 

[Gareth Doherty]

If you let the refresh token expire then yes a full re-authentication is needed.

But, if people use your service regularly then it shouldn't expire as you get a new refresh token every time you get a new access token.

And if people don't login and use your service within 90 days then just make sure that you check refresh token expiry dates every so often and go get a new one periodically to make sure it doesn't expire.