What's the validity of a refresh token? From my observation, refresh tokens expire in an day and then the user has to again authenticate his/her account which is tedious and redundant. How to prevent refresh tokens from expiring or give them longevity?
According to https://developer.microsoft.com/en-us/graph/docs/authorization/app_authorization when the access token is renewed using the refresh token, both tokens are extended. Presumably, then, as long as the refresh token is never let to expire, this could go on indefinitely.
This article includes information about the default lifetimes of tokens issued by Azure AD:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
There are no defaults where refresh tokens expire in one day. They last at least 14 days minimum. You may be experiencing a different issue.
Related
Given an API which uses token authentication (e.g., JWT), how would a client store and cache the token? To remedy the effect of stolen tokens, tokens usually expire after a certain amount of time. However, almost all applications require only to login once. How do they realize authentication? Do their tokens have no validity period or do the apps automatically apply for a new token?
You can store your token in an Account Manager on Android. Regarding token validity all apps have this tokens expire from within hours to days depending on how fast you want to change them.
There is no specific way to handle expired tokens you will have to write your own custom logic for this. Generally what a lot of apps follow is if the user's token has expired they use an api that takes the old token and if the token is not a very old like if it expired within 1 - 2 days they give back a new token but if in any case the token is historic they will logout the user and ask him to again login by providing password and username via your basic OAuth mechanism.
In Android API, access token can be re-issued through refresh token.
Even after new access token is issued, the previous one is still valid for expire time(maybe 1 hour).
I am wondering if it is ok to request a new access token everytime I need regardless of how many access token is issued so that I don't mind if the access token is expired or not.
With my simple test, It seems OK. However, I am not sure it is still OK with production service.
Any expected issue, if I request a considerable amount of access token with a refresh token?
Otherwise, should I re-use access token until it is expired?
We have C# on server side, and mobile apps, on server side we have set refresh token expiration time to be 30 days,
"AbsoluteRefreshTokenLifetime": 2592000
On mobile side, every time when we open the app, because we have only stored refresh token, and because access token is empty, we send a call which returns 401 and after that we are refreshing our tokens and continue with new ones, and after 30 days when refresh token expires, we show dialog that session has been expired, and send users to login screen, to make a new login request.
But recently we have started to get feedbacks from mobile clients that they have started to see that session expired dialog earler then 30 days, just about 13-14 days.
Is it possible that because we are requesting new refresh tokens every time when app is opened, some day, server revokes all takens making them invalid?
What else can be the reason of this issue?
Could be refresh token usage setting,
RefreshTokenUsage setting - OneTime vs ReUse
According to identity server documentation, a refresh token can be one time use or reusable.
If it's reusable (ReUse), same refresh token will be valid for token refreshing (till it get expires).
But if its one time (OneTime) use, refresh token get invalidated as soon as you use it.
Now in the latter case, your application must do token refresh in a thread safe manner. There shouldn't be race conditions so that a refresh call would use old/used refresh token. So check this setting as well as check for race conditions
is there any tool which can be used to understand expiration time for refresh token and to read other info
Identity providers do not allow that (at least the ones I have seen). Refresh token settings are controlled by identity server configurations. So check deployment settings. For example, it could be a configuration issue related to AbsoluteRefreshTokenLifetime and SlidingRefreshTokenLifetime as mentioned in documentation
I get an Access Token & a Refresh Token from an Android App using a Post Request, i have read somewhere that the Refresh Token never expire & then i've seen that there is a Limit of 25 Refresh Token issued,
What is the meaning of this in the Google Developer Doc :
"Note: Save refresh tokens in secure long-term storage and continue to use them >as long as they remain valid. Limits apply to the number of refresh tokens that >are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens >to go over one of the limits, older refresh tokens stop working."
Limit apply to Refresh Token > Get Access Token Operation ?
Limit apply to Prompt User > Get Refresh Token Operation ?
That's mean a user could use the Google Api on 25 Device Max. ? & what if the user use the same Account on +25 Devices ?
I Plan to have a Background Service which once started, will automatically get an Access Token using the Refresh Token saved to ensure to have always a valid Token,
Thanks for your Clarification
If you continue reading the Token Expiration section of this Google OAuth2 document, you can see the answer you need. Google indicates a few key things to consider in your application's architecture:
Refresh tokens are issued per client + user. This means for a given app, each user per client they can be issued 25 refresh tokens.
Limit the number of clients you authorize to 15 or 20 within your application code to prevent dropping refresh tokens previously issued for that particular client-user (oldest dropping off first)
Refresh tokens begin to drop off the tail end of available refresh tokens for a given client once the threshold of 25 has been exceeded
The threshold does not apply to service accounts, which you may wish to use for a backend application which does not have a client-facing UI. These are typically server-side ONLY applications which automate processes such as: data transfer, data sync/reconciliation, etc...
I would review the examples and documentation for your use case which are provided in the link above to better understand how to solve the problem for the appropriate app type: web server, client-side, or installed.
Additionally, I would highly recommend using one if their Client Libraries (available at the bottom of the page in the link above) since that should help to simply implementation.
This is not a problem. If a refresh token is not used for six months, it will become invalid, but using your refresh token to get a new access token can be done indefinitely, in theory.
This is the main problem. If you store the refresh token on the device of your users, and a user has 26 devices for some reason, the refresh token on the first device will become invalid once you get the 26th one.
In closing, it is good to have some fallback code for when a refresh token stops working for some reason, and re-prompt the user. The user might not use the device for six months, he might revoke the app's access or it might stop working for any other reason.
I wished to understand the facebook refresh cycle for the long term access token (60 days).
Although their doc implies
If I make a graph '/me' call a day after obtaining the access token, the token expiry would be updated or extended
but the same isn't the case. I tried querying the /me endpoint via their android SDK but the token expiry wasn't updated.
I came across a similar question Facebook: refresh AccessToken on Android but the suggestion didn't work for me.
Ps: Would be happy to share code but I doubt that is needed.
-------EDIT------
My use case involves only authentication at the client end , followed up with submitting the token to my server. This token is periodically used by my server to fetch updated user info. In order to accomplish this I need to ensure that the token never expires at the client. I don't wish to relogin the user on token expiry as far as possible.
The first line in the document you linked states:
Facebook's official SDKs manage the lifetime of tokens for you. When
using iOS, Android or our JavaScript SDK, the SDK will handle making
sure that tokens are refreshed before they expire.
If you read through the documentation, you can see that if the user uses the app, the SDK will refresh your token daily. If the user has not used it in 60 days, then he has to log in again to get a new token.
Altogether, no action is required on your side for refreshing the token manually.
Why do you think you have to refresh the token?