Google OAuth 2.0 offline access

StackOverflow https://stackoverflow.com/questions/22955719

  •  30-06-2023
  •  | 
  •  

Question

My app needs to access user's data even when the user is not present. So my request for authorization code includes access_type=offline meaning I will get back a refresh token if this is the first time the user authenticates my app. I save the refresh token and use it later on.

Everything works as expected and pretty well. But what bothers me is a statement in the documentation:

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per use across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

If I understand this correctly, it is possible the refresh token I save to become invalid if the user authorizes too many applications?! Is this correct? How should the application react in such situations? Ask for another refresh token?

Thanks in advance.

EDIT: I created a test PHP script that would request refresh tokens from 4 Google clients (by client I mean generated credentials in the Dev console). Three of them are linked to one gmail address and the forth to a different one. For the first email, I generated 2 projects and for the first project, I generated 2 client ids. So:

  1. email X, project A, client id abc
  2. email X, project A, client id def
  3. email X, project B, client id mno
  4. email Y, project C, client id xyz

I started the test by requesting a refresh token for each client. Then I requested 24 more refresh tokens for the first client id abc. At this point all refresh tokens were valid even though for email X I had 27 refresh tokens. Then when I requested another refresh token for client with id abc, the first one for this client got invalidated, so hitting the 25 token limit per email/client combination. All other tokens were still valid and I managed to generate new tokens for client def. This client is for the same project A and the same email X. So I can't hit the second limit. What do these statements mean is still a complete mistery to me:

https://developers.google.com/accounts/docs/OAuth2#expiration

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

https://developers.google.com/accounts/docs/OAuth2WebServer#refresh

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients.

Was it helpful?

Solution

It actually isn't as bad as you think. Refresh tokens are application specific, that meaning specific to your client id. If the user installs your application a number of times then they have a number of Refresh tokens related to your application.

I ran into this issue with a SSIS Connection manager if the user had my connection manager running on more then 20 SSIS packages the first one the installed would stop working.

https://developers.google.com/accounts/docs/OAuth2#expiration

Token expiration

You should write your code to anticipate the possibility that a granted token might
no longer work. 
A token might stop working for one of these reasons:
  • The user has revoked access.
  • The token has not been used for six months.
  • The user account has exceeded a certain number of token requests.

There is currently a 25-token limit per Google user account. If a user account has 25 valid - tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning.

If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.

So as long as your application isn't being installed more then 15 times by the same user you shouldn't have a problem. If it is a problem you can suggest that they use a different / dedicated login for your application.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top