Does the oauth 2 refresh token expire?

deweichen47 June 28, 2016

This question is in reference to Atlassian Documentation: OAuth on Bitbucket Cloud

I am trying to see how long I could save the refresh token in the database before I have to request authentication from the user again.

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Answer accepted
evzijst
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2016

Access tokens sure do expire, as per the RFC.

The access token response contains the expires_in parameter that tells you how long the token will be valid for.

You don't have to re-request authorization from the end user though, as you get a refresh token that can be used to get a new access token.

deweichen47 June 29, 2016

So after the refresh token expires and I request for a new access token with the expired refresh token, what error should I be expecting? Also, do you know how long the refresh token lasts? In this case, the only way to get an access token is to ask the user to oauth again.

evzijst
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 29, 2016

Sorry, refresh tokens do not expire. I entirely misread your question. Access tokens expire as per the spec, refresh tokens do not expire.

Alex Soto June 29, 2016

Are there any limits for an OAuth consumer for generating access tokens?  Is there any cleanup that needs to be performed on the consumer side for tokens that expire then never used again?

evzijst
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 29, 2016

No. Access tokens don't actually represent any state on our side. They are merely an encrypted data structure that includes their owner, related consumer, list of scopes and expiration timestamp.

No cleanup by a service provider is necessary.

End users can actively revoke their authorization though. This is implemented on our end by us deleting their refresh token from the database which effectively orphans any remaining access tokens.

TAGS
AUG Leaders

Atlassian Community Events