Re: How many refresh tokens can be issued?

[Jorge Luis Mendez]

I just noticed that the proper place to ask this question is the OAuth2.0 developer forum (now on Stack Overflow).  I'll re-post there. 

Thank you.

On Sun, Mar 3, 2013 at 7:15 PM, Jorge Luis Mendez <jlmende...@gmail.com> wrote:

Hi,

I'm migration an installed application from OAuth to OAuth2 and came across this paragraph:

 

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

• What is the limit per client/user combination?
• How it's determined which client_id refresh token gets revoked if the user goes over the "across all clients" limit?
  
• A given refresh token will never expire unless the user goes over either limit or revokes it?
  

 

Thank you in advance for your help,

Jorge Luis

--
You received this message because you are subscribed to the Google Groups "GTM OAuth 2 Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gtm-oauth2+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Greg Robbins]

If your application uses gtm-oauth2, you are unlikely to ever encounter the limits. They are in place so that applications do not incorrectly request refresh tokens repeatedly. The gtm-oauth2 library just obtains a refresh token once upon sign-in, and stores it persistently in the keychain for the user. If a refresh token for the user were to be abandoned (such as by uninstalling the app) then there is no need for the server to remember that token.