Google OAuth 2 Refresh Token

# Google OAuth 2 Refresh Token [TOC] ###### tags: `oauth` `token` `refresh` `google` --- ## Set authorization parameters[🔗](https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient) `access_type` > Indicates whether your application can **refresh access tokens when the user is not present at the browser**. Valid parameter values are `online`, which is the default value, and **`offline`**. > > Set the value to **`offline`** if your application needs to **refresh access tokens when the user is not present at the browser**. This is the method of refreshing access tokens described later in this document. This value instructs the Google authorization server to return a refresh token and an access token the first time that your application exchanges an authorization code for tokens. ## Refreshing an access token for offline access[🔗](https://developers.google.com/identity/protocols/oauth2/web-server#offline) > You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token. > > - If you use a Google API Client Library, the [client object](https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient) refreshes the access token as needed as long as you configure that object for offline access. > - If you are not using a client library, you need to set the **`access_type`** HTTP query parameter to **`offline`** when redirecting the user to Google's OAuth 2.0 server . In that case, Google's authorization server returns a refresh token when you exchange an authorization code for an access token. Then, if the access token **expires (or at any other time)**, you can use a refresh token to obtain a new access token. > To refresh an access token, your application sends an HTTPS POST request to Google's authorization server (`https://oauth2.googleapis.com/token`) that includes the following parameters: | Fields | | | --------------- | ------------------------------------------------------------------------------------------------- | | `client_id` | The **client ID** obtained from the API Console. | | `client_secret` | The **client secret** obtained from the API Console. | | `grant_type` | As defined in the OAuth 2.0 specification, this field's value must be set to **`refresh_token`**. | | `refresh_token` | The **refresh token** returned from the authorization code exchange. | :::info ```sh POST https://oauth2.googleapis.com/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded ``` `client_id=`*{your_client_id}* `client_secret=`*{your_client_secret}* `refresh_token=`*{refresh_token}* `grant_type=refresh_token` ::: > As long as the user **has not revoked** the access granted to the application, the token server returns a JSON object that contains a new access token. The following snippet shows a sample response: :::info ```json { "access_token": "1/fFAGRNJru1FTz70BzhT3Zg", "expires_in": 3920, "scope": "https://www.googleapis.com/auth/drive.metadata.readonly", "token_type": "Bearer" } ``` ::: > Note that there are limits on the number of refresh tokens that will be issued; **one limit per client/user combination**, and **another per user across all clients**. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working. ## Refresh token expiration[🔗](https://developers.google.com/identity/protocols/oauth2#expiration) > A refresh token might stop working for one of these reasons: > > - The user has **revoked** your app's access. > - The refresh token **has not been used for six months**. > - The user **changed passwords** and **the refresh token contains Gmail scopes**. > - The user account has **exceeded** a maximum number of granted (live) refresh tokens. > - The user belongs to a Google Cloud Platform organization that has **session control policies** in effect. > A **Google Cloud Platform** project with an OAuth consent screen configured for an **external** user type and a publishing status of "**Testing**" is issued a refresh token expiring in **7 days**. > There is currently a limit of **50** refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning. ## OAuth2 and Google API: access token expiration time?[![StackOverflow](https://simpleicons.org/icons/stackoverflow.svg =28x28)](https://stackoverflow.com/questions/13851157/oauth2-and-google-api-access-token-expiration-time#answer-13851781) > ... This refresh token never expires, and you can use it to exchange it for an access token as needed. Save the refresh tokens, and use them to get access tokens on-demand ... > > ... there are two easy ways to get the access token expiration time: > > 1. There is a **`expires_in`** parameter in the response when you exchange your refresh token (using `/o/oauth2/token` endpoint). More details. > 2. There is also an API that returns the remaining lifetime of the access_token: `https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}` ## Calling the tokeninfo endpoint🔗 ## References * [Spring Secuity 5: Persist and access Oauth2 refresh token<SUP>![StackOverflow](https://simpleicons.org/icons/stackoverflow.svg =16x16)</SUP>](https://stackoverflow.com/questions/60822062/spring-secuity-5-persist-and-access-oauth2-refresh-token) *