Does the refresh token expire and if so when?

Question

I have read the PODIO documentation. I have in particular contemplated the following statement concerning use of the refresh_token:

This

Answer 1

TL; DR

Refresh token will eventually expire or become invalid and you should be ready for it.

Two scenarios:

1. User facing service (e.g.: authorization grant flow) - maybe ok to ignore the problem, because people are good in turning it off and on again, a.k.a refresh the page :-)

2. Server side long running service (e.g.: client credentials flow) - you should be ready for the situation when neither of access or refresh token works and re-initiate the authentication from scratch.

Real life

Refresh tokens may or may not have expiry time, depending on your provider they expire never, not as long as they're recently used, in months or in hours. Relying on the fact that you will receive new refresh token with refreshed access token may be tricky.

Timeout is not the only way in which token may become invalid. Consider following scenarios described in oauth0:

While refresh tokens are often long-lived, the authorization server can invalidate them. Some of the reasons a refresh token may no longer be valid include:

• the authorization server has revoked the refresh token
• the user has revoked their consent for authorization
• the refresh token has expired
• the authentication policy for the resource has changed (e.g., originally the resource only used usernames and passwords, but now it requires MFA)

To add to that the tokens (access, refresh) can be stored in non-persistent storage in authentication provider service so if the service is restarted (crash, update) your tokens may be gone.

Conclusion

If you are writing long-running service which needs to be reliable don't rely on being able to refresh granted authentication forever through refresh tokens.