SyntaxFix

[oauth] Why do access tokens expire?

I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a "refresh token" and a short lived "access token". Now every time the access token expires, I can POST my refresh token to Google and they will give me a new access token.

My question is what is the purpose of the access token expiring? Why can't there just be a long lasting access token instead of the refresh token?

Also, does the refresh token expire?

See Using OAuth 2.0 to Access Google APIs for more info on Google OAuth2 workflow.

This question is related to oauth oauth-2.0 google-api google-oauth

The answer is

In addition to the other responses:

Once obtained, Access Tokens are typically sent along with every request from Clients to protected Resource Servers. This induce a risk for access token stealing and replay (assuming of course that access tokens are of type "Bearer" (as defined in the initial RFC6750).

Examples of those risks, in real life:

  • Resource Servers generally are distributed application servers and typically have lower security levels compared to Authorization Servers (lower SSL/TLS config, less hardening, etc.). Authorization Servers on the other hand are usually considered as critical Security infrastructure and are subject to more severe hardening.

  • Access Tokens may show up in HTTP traces, logs, etc. that are collected legitimately for diagnostic purposes on the Resource Servers or clients. Those traces can be exchanged over public or semi-public places (bug tracers, service-desk, etc.).

  • Backend RS applications can be outsourced to more or less trustworthy third-parties.

The Refresh Token, on the other hand, is typically transmitted only twice over the wires, and always between the client and the Authorization Server: once when obtained by client, and once when used by client during refresh (effectively "expiring" the previous refresh token). This is a drastically limited opportunity for interception and replay.

Last thought, Refresh Tokens offer very little protection, if any, against compromised clients.

A couple of scenarios might help illustrate the purpose of access and refresh tokens and the engineering trade-offs in designing an oauth2 (or any other auth) system:

Web app scenario

In the web app scenario you have a couple of options:

  1. if you have your own session management, store both the access_token and refresh_token against your session id in session state on your session state service. When a page is requested by the user that requires you to access the resource use the access_token and if the access_token has expired use the refresh_token to get the new one.

Let's imagine that someone manages to hijack your session. The only thing that is possible is to request your pages.

  1. if you don't have session management, put the access_token in a cookie and use that as a session. Then, whenever the user requests pages from your web server send up the access_token. Your app server could refresh the access_token if need be.

Comparing 1 and 2:

In 1, access_token and refresh_token only travel over the wire on the way between the authorzation server (google in your case) and your app server. This would be done on a secure channel. A hacker could hijack the session but they would only be able to interact with your web app. In 2, the hacker could take the access_token away and form their own requests to the resources that the user has granted access to. Even if the hacker gets a hold of the access_token they will only have a short window in which they can access the resources.

Either way the refresh_token and clientid/secret are only known to the server making it impossible from the web browser to obtain long term access.

Let's imagine you are implementing oauth2 and set a long timeout on the access token:

In 1) There's not much difference here between a short and long access token since it's hidden in the app server. In 2) someone could get the access_token in the browser and then use it to directly access the user's resources for a long time.

Mobile scenario

On the mobile, there are a couple of scenarios that I know of:

  1. Store clientid/secret on the device and have the device orchestrate obtaining access to the user's resources.

  2. Use a backend app server to hold the clientid/secret and have it do the orchestration. Use the access_token as a kind of session key and pass it between the client and the app server.

Comparing 1 and 2

In 1) Once you have clientid/secret on the device they aren't secret any more. Anyone can decompile and then start acting as though they are you, with the permission of the user of course. The access_token and refresh_token are also in memory and could be accessed on a compromised device which means someone could act as your app without the user giving their credentials. In this scenario the length of the access_token makes no difference to the hackability since refresh_token is in the same place as access_token. In 2) the clientid/secret nor the refresh token are compromised. Here the length of the access_token expiry determines how long a hacker could access the users resources, should they get hold of it.

Expiry lengths

Here it depends upon what you're securing with your auth system as to how long your access_token expiry should be. If it's something particularly valuable to the user it should be short. Something less valuable, it can be longer.

Some people like google don't expire the refresh_token. Some like stackflow do. The decision on the expiry is a trade-off between user ease and security. The length of the refresh token is related to the user return length, i.e. set the refresh to how often the user returns to your app. If the refresh token doesn't expire the only way they are revoked is with an explicit revoke. Normally, a log on wouldn't revoke.

Hope that rather length post is useful.

It is essentially a security measure. If your app is compromised, the attacker will only have access to the short-lived access token and no way to generate a new one.

Refresh tokens also expire but they are supposed to live much longer than the access token.

Source: Stackoverflow.com

Examples related to oauth

What are the main differences between JWT and OAuth authentication? Facebook OAuth "The domain of this URL isn't included in the app's domain" Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings." JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference? How to use OAuth2RestTemplate? What is the OAuth 2.0 Bearer Token exactly? Curl error 60, SSL certificate issue: self signed certificate in certificate chain Use Device Login on Smart TV / Console Setting Authorization Header of HttpClient How to include Authorization header in cURL POST HTTP Request in PHP?

Examples related to oauth-2.0

Using Axios GET with Authorization Header in React-Native App What are the main differences between JWT and OAuth authentication? How do I get an OAuth 2.0 authentication token in C# Using Postman to access OAuth 2.0 Google APIs Correct way to set Bearer token with CURL Using an authorization header with Fetch in React Native Getting "error": "unsupported_grant_type" when trying to get a JWT by calling an OWIN OAuth secured Web Api via Postman JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference? JWT refresh token flow Spring-Security-Oauth2: Full authentication is required to access this resource

Examples related to google-api

Google API authentication: Not valid origin for the client Using Postman to access OAuth 2.0 Google APIs How can I validate google reCAPTCHA v2 using javascript/jQuery? This IP, site or mobile application is not authorized to use this API key Is there a Google Keep API? OAuth2 and Google API: access token expiration time? invalid_grant trying to get oAuth token from google Alternative to google finance api How do I access (read, write) Google Sheets spreadsheets with Python? How to refresh token with Google API client?

Examples related to google-oauth

Google API authentication: Not valid origin for the client Using Postman to access OAuth 2.0 Google APIs Google OAUTH: The redirect URI in the request did not match a registered redirect URI Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' invalid_client in google oauth2 OAuth2 and Google API: access token expiration time? Where can I get Google developer key Why do access tokens expire? Google Authenticator available as a public service? How can I verify a Google authentication API access token?

Tags

Progressive Mage Crystal-reports-12 Android-emulator Internet-options Wndproc Fromkeys Clr-hosting Taskfactory Priority-queue Git-tag Net-ssh Monomorphism-restriction Windows-2003-webserver Sound-recognition Ms-word Ulong Createtextnode Soundcloud Bresenham Directcompute Pypy Geonames Multiviews Qtreewidget Master-slave Access-log Edges Xla Weak-typing Keywordquery Ora-02291 Openmap Event-driven-design Pre-compilation Maildir Googlebot Trim Combres Playback Normalization Unit-conversion Hunchentoot Quotation-marks Aforge Trac Mql Avr Cldc Rhino-security Shape Face-detection Evb With-statement Addrange Ui-virtualization Qtoolbar Xmpppy Method-group Libumem N73 Uint64 Gtk-textbuffer Fast-vector-highlighter Debug-mode Right-aws Accounting Wcfserviceclient Data-recovery Pecl Removable Ml Transactionmanager Jquery-calculation Chainable Error-handling Numerical-integration Simpy Litespeed Tld Google-groups-api Start-page Msitransform Secure-scl Divider L2cap Qyoto Interface-builder Temporary-asp.net-files Expressionengine Grep Abort Build-definition Scriptlet Routevalues Hibernate-criteria Zimbra Iphone-security Mirroring Propel