The OAuth 2.0 spec doesn't define refresh token expiration or how to handle it, however, a number of APIs will return a refresh_token_expires_in property when the refresh token does expire. If your refresh_token has also expired, you will need to go through the authorization process again. The Zapier service is one service that implements the refresh after authorization error retry. Facebook: Error 467 Invalid access token - Access token has expired, been revoked, or is otherwise invalid - Handle expired access tokens.Invalid Access Token Errorsīelow are some error codes from popular services: Since different services can use different error codes for expired tokens, you can either keep track of the code for each service or an easy way to refresh tokens across services is to simply try a single refresh upon encountering a 4xx error. If you attempt to use an expired access_token and you get an invalid token error, you should perform a token refresh (if your refresh token is still valid). This can be done with the previous approach or by itself. Token Refresh Handling: Method 2Īnother method of handling token refresh is to manually refresh after receiving an invalid token authorization error. If you receive this, you should store the new refresh_token to extend the life of your session. In addition to receiving a new access_token, you may receive a new refresh_token with an expiration time further in the future. When checking the time, be sure you are the same time, for example, using the same timezone by converting all times to epoch or UTC timezone. expiry isn't defined by the OAuth 2.0 standard but is useful here. on each resource request, check the current time against the expire time and make a token refresh request before the resource request if the access_token has expiredĪn example implementation is the Go oauth2 library which converts the expires_in value to a RFC 3339 date-time in the Token expiry property.convert expires_in to an expire time (epoch, RFC-3339/ISO-8601 datetime, etc.).This can be done using the following steps: Upon receiving a valid access_token, expires_in value, refresh_token, etc., clients can process this by storing an expiration time and checking it on each request. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. The lifetime in seconds of the access token. The OAuth 2.0 standard, RFC 6749, defines the expires_in field as the number of seconds to expiration:Įxpires_in: RECOMMENDED. Here's information on OAuth 2.0 token refresh.
0 Comments
Leave a Reply. |