When a user's third-party consented access_token expires

carolus · January 4, 2021, 11:32am

I have this challenge and not sure how to correctly deal with it.

We have an application with API, we also have a third party application that needs to access the API on behalf of their users. These third party application must get their user’s consent to access the first-party.

What we are doing at the moment is to have the third-party application store the access_token provided during consent with the user’s account. This enables the third-party app to then call the API on behalf of the user. This works fine but the challenge comes in when that access_token expires and the thrid party still needs to call the API on the user’s behalf. This consent should be given to the third-party application indefinately. (The user still has the ability on the first-party app to revoke this grant at any time)

How do we deal with I when the access_token expires as we do not want ask the user for their consent as they will not be online and it is not UX friendly?
Can we set this granted access_token to never expire or do we also have include offline_access to use a refresh token?

stephanie.chamblee · January 4, 2021, 12:49pm

Hi @carolus,

It is not possible to configure an Access Token to never expire (the limit is 30 days). This is in order to follow OAuth 2.0 recommendations for securely handling bearer tokens:

Issue short-lived bearer tokens: Token servers SHOULD issue
short-lived (one hour or less) bearer tokens, particularly when
issuing tokens to clients that run within a web browser or other
environments where information leakage may occur. Using
short-lived bearer tokens can reduce the impact of them being
leaked.

Because Access Tokens are bearer tokens used to access an API on a user’s behalf, they must have an expiration in order to handle the threat of token capture and replay attacks.

This means that it’d be best to include offline_access and use a Refresh Token. The docs on Refresh Tokens explain how to do this, and there are examples for using Auth0 SKDs in the QuickStarts.

carolus · January 6, 2021, 6:14pm

Thanks! …implemented.

system · January 21, 2021, 6:14pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.