Mixing
Does Google wait for an infinite refresh_token for cloud partner calls?
I'm working today on a partner environment related to Google Home.
Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).
My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.
My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.
Keycloak 3.2, Google homegraph action-on-google
oauth token actions-on-google google-home refresh-token
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
add a comment |
I'm working today on a partner environment related to Google Home.
Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).
My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.
My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.
Keycloak 3.2, Google homegraph action-on-google
oauth token actions-on-google google-home refresh-token
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22
add a comment |
I'm working today on a partner environment related to Google Home.
Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).
My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.
My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.
Keycloak 3.2, Google homegraph action-on-google
oauth token actions-on-google google-home refresh-token
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
I'm working today on a partner environment related to Google Home.
Concretely, when I use google home to give orders on devices, Google calls my API to execute them (as it does with Philips Hue, Netatmo etc ...).
My problem is this: I use keycloak for OAuth management. the Google console has been configured to use it and it works. However my refresh_token expire and this forces the user to delete the linked account and then postpone it.
My question is this: Does Google expect to get an infinite refresh_token after giving its authorization_code? Or I missed something, because Google does not seem to restart the normal connection procedure.
Keycloak 3.2, Google homegraph action-on-google
oauth token actions-on-google google-home refresh-token
oauth token actions-on-google google-home refresh-token
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
edited Dec 31 '18 at 14:18
Prisoner
35.8k33462
35.8k33462
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
asked Dec 31 '18 at 11:55
Léo SEGRETAINLéo SEGRETAIN
1
1
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22
add a comment |
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22
add a comment |
2 Answers
2
active
oldest
votes
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
add a comment |
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
answered Mar 13 at 23:09
FabienFabien
345
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53987199%2fdoes-google-wait-for-an-infinite-refresh-token-for-cloud-partner-calls%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
add a comment |
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
add a comment |
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
Typically, yes, Google assumes the refresh_token has either no expiration or an extremely long expiration period. But it does acknowledge that the refresh_token can either expire or be revoked. In that case, you need to make sure your OAuth server returns HTTP code 400 with the OAuth error invalid_grant.
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
answered Jan 2 at 12:13
PrisonerPrisoner
35.8k33462
35.8k33462
add a comment |
add a comment |
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
answered Mar 13 at 23:09
FabienFabien
345
add a comment |
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
answered Mar 13 at 23:09
FabienFabien
345
add a comment |
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
answered Mar 13 at 23:09
FabienFabien
345
I personnaly consider a good practice to revoke refresh tokens after an period of inactivity.
This gives a pretty good user experience while keeping the database updated.
answered Mar 13 at 23:09
FabienFabien
345
answered Mar 13 at 23:09
FabienFabien
345
answered Mar 13 at 23:09
FabienFabien
345
answered Mar 13 at 23:09
FabienFabien
345
345
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53987199%2fdoes-google-wait-for-an-infinite-refresh-token-for-cloud-partner-calls%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This seems odd. What evidence do you have that the refresh_token is expiring (or that it should)? Refresh tokens normally have no expiration. (How would you refresh an expired refresh token?)
– Prisoner
Dec 31 '18 at 14:19
I have the keycloak configuration, so i know that the SSO timeout has a max
– Léo SEGRETAIN
Jan 2 at 6:22