-
-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth access token and refresh token expiration times #12641
Comments
REFRESH_TOKEN_EXPIRATION_TIME refers to the refresh token not the access token Fix go-gitea#12641 Signed-off-by: Andrew Thornton <art27@cantab.net>
it looks like the docs are incorrect here. The name is correct - it sets the REFRESH_TOKEN_EXPIRATION_TIME not the ACCESS token expiration time. I've sent a PR to update them. |
REFRESH_TOKEN_EXPIRATION_TIME refers to the refresh token not the access token Fix #12641 Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath thanks for the fix ! That was quick 😄 Do you have any comment regarding the fact that there are two settings for those timeouts. How is a third party app expected to refresh the token since the refresh token will have expired long before the 3600 seconds mentioned in the payload as |
The refresh token is in hours - not seconds |
@zeripath I see. Do you think it would be possible to include in the OAuth response a property named {
"access_token": "e72e16c7e42f292c6912e7710c838347ae178b4a",
"expires_in": "28800",
"refresh_token": "r1.c1b4a2e77838347a7e420ce178f2e7c6912e1692",
"refresh_token_expires_in": "15811200",
"scope": "",
"token_type": "bearer"
} |
Description
The OAuth2 docs describe
REFRESH_TOKEN_EXPIRATION_TIME
as the Lifetime of an OAuth2 access token in hours. This seems incorrect looking at the name of the variable.That aside, I find it strange to have different expiration times for the refresh token and the access token. When you get an access token via the OAuth authorization flow, you get this answer:
The
expires_in
property is the expiration time of the access token (per specification). Hence, a third party application would expect to be able to refresh the access token within 3600 seconds. But in reality, that won't work as the refresh token expires inREFRESH_TOKEN_EXPIRATION_TIME
.The text was updated successfully, but these errors were encountered: