When does the the Google access_token expire

rmaurer · August 21, 2017, 9:37am

I have successfully enabled Auth0 for my AngularJs client application and I am using the Auth0 token to security access my C# Web API. I am not working on making calls from my API to the Google API in order to read my users calendar and other scopes they agreed to.
I followed the tutorials and I have successfully retrieved my user’s Google access_token by calling the Auht0 management API.

When does that access_token expire? I noticed that in the list of Identities, the google-oauth2 entry has an “expires_in” field that is equal to 3599.
Can this value be used?
Is it seconds or minutes?
It is 3599 from what? Is it from the user’s last Auth0 login date time?
Essentially, I am trying to figure out if I can look at that time and realize that the Google access_token has expired and get a new one.

paulimar.angulo · August 22, 2017, 7:20pm

As you can see here:

Identity Provider Access Tokens
Since this token is a third-party access token, the vality (hence, the expiration time) is managed by the IdP (in your case, Google OAuth 2.0)

The number in expires_in is in seconds and refer to the lifetime of the token.

You have the option for renew or revoke the token, as is shown here:

Identity Provider Access Tokens

rmaurer · August 23, 2017, 7:41am

Thanks so much for your response! I have two follow up questions.
Your explanation was as I had guessed, and that number is the number of seconds my token is valid for. But, when was the starting time? Is it from now or from when the user last logged into Auth0?

I am already pulling my idp tokens from api/users endpoint. I see that I need to add the access_type=offline to my request to get that to work. I am using this AngularJS client and I don’t know where to set that option. Do you have any idea?

paulimar.angulo · August 24, 2017, 3:13am

The starting time is when the token is generated, meaning when you call the endpoints /authorize or /oauth/token, so, when you make the API call, the token is generated and that token will be valid for the amount of seconds that the field expires_inis set to.

Are you using Lock? if so, the access_type=offline is added as an extra param in the auth.params object in the options (As shown here: https://auth0.com/docs/libraries/lock/v10/customization#auth-object-)

If you are using Auth0.js, you set the option in WebAuth, you can follow this quickstart to see the options.

rmaurer · August 24, 2017, 10:15am

Thanks. I realized yesterday I was user V9. I upgraded to v!0 and I was able to set the access_type correctly.